Skip to content

fix(node): enforce maxContentLength for data: URLs#7011

Merged
jasonsaayman merged 3 commits intoaxios:v1.xfrom
AmeerAssadi:advisory-fix-1
Sep 10, 2025
Merged

fix(node): enforce maxContentLength for data: URLs#7011
jasonsaayman merged 3 commits intoaxios:v1.xfrom
AmeerAssadi:advisory-fix-1

Conversation

@AmeerAssadi
Copy link
Contributor

@AmeerAssadi AmeerAssadi commented Sep 9, 2025

Fix (Node): apply maxContentLength to data: URLs with pre-decode size check

  • Previously, data: payloads were fully decoded in memory and ignored maxContentLength > possible OOM/DoS.
  • Now, if maxContentLength is a finite non-negative value, Axios estimates the decoded size and rejects early when it exceeds the cap.
  • Default behavior unchanged (maxContentLength: -1 means unlimited).
  • Handles base64 (incl. padding/%3D) and non-base64 (UTF-8 byteLength upper bound).
  • No large allocations on the guarded path, error mirrors HTTP oversize handling.

Security: mitigates DoS.
See GHSA: GHSA-4hjh-wcwx-xvwjCVE-2025-58754.

@AmeerAssadi
Copy link
Contributor Author

AmeerAssadi commented Sep 9, 2025

@jasonsaayman plz approve!

@AmeerAssadi AmeerAssadi changed the title fix(node): enforce maxContentLength for data: URLs (CVE-2025-58754) fix(node): enforce maxContentLength for data: URLs Sep 9, 2025
Copilot AI reviewed Sep 9, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses a security vulnerability by enforcing maxContentLength limits on data: URLs to prevent denial-of-service attacks through out-of-memory conditions.

  • Adds pre-decode size estimation for data: URLs to check against maxContentLength before decoding
  • Implements efficient size calculation for both base64 and non-base64 encoded data without large memory allocations
  • Maintains backward compatibility by only enforcing limits when maxContentLength is explicitly set to a finite non-negative value

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 9, 2025
View reviewed changes
jasonsaayman
jasonsaayman reviewed Sep 9, 2025
View reviewed changes
DigitalBrainJS
DigitalBrainJS requested changes Sep 9, 2025
View reviewed changes
Copy link
Collaborator

@DigitalBrainJS DigitalBrainJS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your contribution. 👍 Although the code looks like it works, it would be nice to add at least one unit test for the utility.

@AmeerAssadi
Copy link
Contributor Author

AmeerAssadi commented Sep 10, 2025

@DigitalBrainJS , thanks for the review, I have implemented the changes.
@jasonsaayman FYI

DigitalBrainJS
DigitalBrainJS approved these changes Sep 10, 2025
View reviewed changes
Copy link
Collaborator

@DigitalBrainJS DigitalBrainJS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

jasonsaayman
jasonsaayman approved these changes Sep 10, 2025
View reviewed changes
Copy link
Member

@jasonsaayman jasonsaayman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🔥

@jasonsaayman jasonsaayman merged commit 945435f into axios:v1.x Sep 10, 2025
11 checks passed
@github-actions github-actions bot mentioned this pull request Sep 11, 2025
Merged
@github-actions
Copy link
Contributor

github-actions bot commented Sep 11, 2025

Hi, @AmeerAssadi! This PR has been published in v1.12.0 release. Thank you for your contribution ❤️!

@chrisbbreuer chrisbbreuer mentioned this pull request Sep 11, 2025
Closed
1 task
github-actions bot pushed a commit to contentful/contentful-import that referenced this pull request Sep 12, 2025
@dependabot
build(deps): bump axios from 1.11.0 to 1.12.0 (#1474)
3ba6564 
Bumps [axios](https://github.com/axios/axios) from 1.11.0 to 1.12.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="proxy.php?url=https://github.com/axios/axios/releases">axios's
releases</a>.</em></p>
<blockquote>
<h2>Release v1.12.0</h2>
<h2>Release notes:</h2>
<h3>Bug Fixes</h3>
<ul>
<li>adding build artifacts (<a
href="proxy.php?url=https://github.com/axios/axios/commit/9ec86de257bfa33856571036279169f385ed92bd">9ec86de</a>)</li>
<li>dont add dist on release (<a
href="proxy.php?url=https://github.com/axios/axios/commit/a2edc3606a4f775d868a67bb3461ff18ce7ecd11">a2edc36</a>)</li>
<li><strong>fetch-adapter:</strong> set correct Content-Type for Node
FormData (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/6998">#6998</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/a9f47afbf3224d2ca987dbd8188789c7ea853c5d">a9f47af</a>)</li>
<li><strong>node:</strong> enforce maxContentLength for data: URLs (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/7011">#7011</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593">945435f</a>)</li>
<li>package exports (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5627">#5627</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/aa78ac23fc9036163308c0f6bd2bb885e7af3f36">aa78ac2</a>)</li>
<li><strong>params:</strong> removing '[' and ']' from URL encode
exclude characters (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/3316">#3316</a>)
(<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5715">#5715</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/6d84189349c43b1dcdd977b522610660cc4c7042">6d84189</a>)</li>
<li>release pr run (<a
href="proxy.php?url=https://github.com/axios/axios/commit/fd7f404488b2c4f238c2fbe635b58026a634bfd2">fd7f404</a>)</li>
<li><strong>types:</strong> change the type guard on isCancel (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5595">#5595</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/0dbb7fd4f61dc568498cd13a681fa7f907d6ec7e">0dbb7fd</a>)</li>
</ul>
<h3>Features</h3>
<ul>
<li><strong>adapter:</strong> surface low‑level network error details;
attach original error via cause (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/6982">#6982</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/78b290c57c978ed2ab420b90d97350231c9e5d74">78b290c</a>)</li>
<li><strong>fetch:</strong> add fetch, Request, Response env config
variables for the adapter; (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/7003">#7003</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b">c959ff2</a>)</li>
<li>support reviver on JSON.parse (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5926">#5926</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/2a9763426e43d996fd60d01afe63fa6e1f5b4fca">2a97634</a>),
closes <a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5924">#5924</a></li>
<li><strong>types:</strong> extend AxiosResponse interface to include
custom headers type (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/6782">#6782</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/7960d34eded2de66ffd30b4687f8da0e46c4903e">7960d34</a>)</li>
</ul>
<h3>Contributors to this release</h3>
<ul>
<li><!-- raw HTML omitted --> <a
href="proxy.php?url=https://github.com/WillianAgostini" title="+132/-16760
([#7002](axios/axios#7002)
[#5926](axios/axios#5926)
[#6782](axios/axios#6782) )">Willian
Agostini</a></li>
<li><!-- raw HTML omitted --> <a
href="proxy.php?url=https://github.com/DigitalBrainJS" title="+4263/-293
([#7006](axios/axios#7006)
[#7003](axios/axios#7003) )">Dmitriy
Mozgovoy</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/mkhani01"
title="+111/-15 ([#6982](axios/axios#6982)
)">khani</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/AmeerAssadi"
title="+123/-0 ([#7011](axios/axios#7011)
)">Ameer Assadi</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/emiedonmokumo"
title="+55/-35 ([#6998](axios/axios#6998)
)">Emiedonmokumo Dick-Boro</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/opsysdebug"
title="+8/-8 ([#6980](axios/axios#6980)
)">Zeroday BYTE</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/jasonsaayman"
title="+7/-7 ([#6985](axios/axios#6985)
[#6985](axios/axios#6985) )">Jason
Saayman</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/HealGaren"
title="+5/-7 ([#5715](axios/axios#5715)
)">최예찬</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/gligorkot"
title="+3/-1 ([#5627](axios/axios#5627)
)">Gligor Kotushevski</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/adimit"
title="+2/-1 ([#5595](axios/axios#5595)
)">Aleksandar Dimitrov</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="proxy.php?url=https://github.com/axios/axios/blob/v1.x/CHANGELOG.md">axios's
changelog</a>.</em></p>
<blockquote>
<h1><a
href="proxy.php?url=https://github.com/axios/axios/compare/v1.11.0...v1.12.0">1.12.0</a>
(2025-09-11)</h1>
<h3>Bug Fixes</h3>
<ul>
<li>adding build artifacts (<a
href="proxy.php?url=https://github.com/axios/axios/commit/9ec86de257bfa33856571036279169f385ed92bd">9ec86de</a>)</li>
<li>dont add dist on release (<a
href="proxy.php?url=https://github.com/axios/axios/commit/a2edc3606a4f775d868a67bb3461ff18ce7ecd11">a2edc36</a>)</li>
<li><strong>fetch-adapter:</strong> set correct Content-Type for Node
FormData (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/6998">#6998</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/a9f47afbf3224d2ca987dbd8188789c7ea853c5d">a9f47af</a>)</li>
<li><strong>node:</strong> enforce maxContentLength for data: URLs (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/7011">#7011</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593">945435f</a>)</li>
<li>package exports (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5627">#5627</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/aa78ac23fc9036163308c0f6bd2bb885e7af3f36">aa78ac2</a>)</li>
<li><strong>params:</strong> removing '[' and ']' from URL encode
exclude characters (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/3316">#3316</a>)
(<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5715">#5715</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/6d84189349c43b1dcdd977b522610660cc4c7042">6d84189</a>)</li>
<li>release pr run (<a
href="proxy.php?url=https://github.com/axios/axios/commit/fd7f404488b2c4f238c2fbe635b58026a634bfd2">fd7f404</a>)</li>
<li><strong>types:</strong> change the type guard on isCancel (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5595">#5595</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/0dbb7fd4f61dc568498cd13a681fa7f907d6ec7e">0dbb7fd</a>)</li>
</ul>
<h3>Features</h3>
<ul>
<li><strong>adapter:</strong> surface low‑level network error details;
attach original error via cause (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/6982">#6982</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/78b290c57c978ed2ab420b90d97350231c9e5d74">78b290c</a>)</li>
<li><strong>fetch:</strong> add fetch, Request, Response env config
variables for the adapter; (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/7003">#7003</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b">c959ff2</a>)</li>
<li>support reviver on JSON.parse (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5926">#5926</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/2a9763426e43d996fd60d01afe63fa6e1f5b4fca">2a97634</a>),
closes <a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5924">#5924</a></li>
<li><strong>types:</strong> extend AxiosResponse interface to include
custom headers type (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/6782">#6782</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/7960d34eded2de66ffd30b4687f8da0e46c4903e">7960d34</a>)</li>
</ul>
<h3>Contributors to this release</h3>
<ul>
<li><!-- raw HTML omitted --> <a
href="proxy.php?url=https://github.com/WillianAgostini" title="+132/-16760
([#7002](axios/axios#7002)
[#5926](axios/axios#5926)
[#6782](axios/axios#6782) )">Willian
Agostini</a></li>
<li><!-- raw HTML omitted --> <a
href="proxy.php?url=https://github.com/DigitalBrainJS" title="+4263/-293
([#7006](axios/axios#7006)
[#7003](axios/axios#7003) )">Dmitriy
Mozgovoy</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/mkhani01"
title="+111/-15 ([#6982](axios/axios#6982)
)">khani</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/AmeerAssadi"
title="+123/-0 ([#7011](axios/axios#7011)
)">Ameer Assadi</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/emiedonmokumo"
title="+55/-35 ([#6998](axios/axios#6998)
)">Emiedonmokumo Dick-Boro</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/opsysdebug"
title="+8/-8 ([#6980](axios/axios#6980)
)">Zeroday BYTE</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/jasonsaayman"
title="+7/-7 ([#6985](axios/axios#6985)
[#6985](axios/axios#6985) )">Jason
Saayman</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/HealGaren"
title="+5/-7 ([#5715](axios/axios#5715)
)">최예찬</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/gligorkot"
title="+3/-1 ([#5627](axios/axios#5627)
)">Gligor Kotushevski</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/adimit"
title="+2/-1 ([#5595](axios/axios#5595)
)">Aleksandar Dimitrov</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/0d8ad6e1de0f5339e02bc262d6f0df4936974120"><code>0d8ad6e</code></a>
chore(release): v1.12.0 (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/7013">#7013</a>)</li>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/fd7f404488b2c4f238c2fbe635b58026a634bfd2"><code>fd7f404</code></a>
fix: release pr run</li>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/a2edc3606a4f775d868a67bb3461ff18ce7ecd11"><code>a2edc36</code></a>
fix: dont add dist on release</li>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/9ec86de257bfa33856571036279169f385ed92bd"><code>9ec86de</code></a>
fix: adding build artifacts</li>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593"><code>945435f</code></a>
fix(node): enforce maxContentLength for data: URLs (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/7011">#7011</a>)</li>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/28e5e3016d6ed0b3ec489427e4ec00133f45ddc2"><code>28e5e30</code></a>
chore(sponsor): update sponsor block (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/7005">#7005</a>)</li>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/d03f245a40ec016b190748a865cce9fe3815c903"><code>d03f245</code></a>
chore(CI): fixed release info script to use npm registry instead of git
as fi...</li>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/a0bc91137950f36a1f6b0a2a60d11fd7f245ff0e"><code>a0bc911</code></a>
chore: removing dist files from src (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/7002">#7002</a>)</li>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b"><code>c959ff2</code></a>
feat(fetch): add fetch, Request, Response env config variables for the
adapte...</li>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/a9f47afbf3224d2ca987dbd8188789c7ea853c5d"><code>a9f47af</code></a>
fix(fetch-adapter): set correct Content-Type for Node FormData (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/6998">#6998</a>)</li>
<li>Additional commits viewable in <a
href="proxy.php?url=https://github.com/axios/axios/compare/v1.11.0...v1.12.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=axios&package-manager=npm_and_yarn&previous-version=1.11.0&new-version=1.12.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/contentful/contentful-import/network/alerts).

</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
eps-autoapprove-dependabot bot pushed a commit to NHSDigital/eps-load-test that referenced this pull request Sep 12, 2025
@dependabot
Upgrade: [dependabot] - bump axios from 1.11.0 to 1.12.0 (#552)
e678531 
Bumps [axios](https://github.com/axios/axios) from 1.11.0 to 1.12.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="proxy.php?url=https://github.com/axios/axios/releases">axios's
releases</a>.</em></p>
<blockquote>
<h2>Release v1.12.0</h2>
<h2>Release notes:</h2>
<h3>Bug Fixes</h3>
<ul>
<li>adding build artifacts (<a
href="proxy.php?url=https://github.com/axios/axios/commit/9ec86de257bfa33856571036279169f385ed92bd">9ec86de</a>)</li>
<li>dont add dist on release (<a
href="proxy.php?url=https://github.com/axios/axios/commit/a2edc3606a4f775d868a67bb3461ff18ce7ecd11">a2edc36</a>)</li>
<li><strong>fetch-adapter:</strong> set correct Content-Type for Node
FormData (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/6998">#6998</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/a9f47afbf3224d2ca987dbd8188789c7ea853c5d">a9f47af</a>)</li>
<li><strong>node:</strong> enforce maxContentLength for data: URLs (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/7011">#7011</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593">945435f</a>)</li>
<li>package exports (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5627">#5627</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/aa78ac23fc9036163308c0f6bd2bb885e7af3f36">aa78ac2</a>)</li>
<li><strong>params:</strong> removing '[' and ']' from URL encode
exclude characters (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/3316">#3316</a>)
(<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5715">#5715</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/6d84189349c43b1dcdd977b522610660cc4c7042">6d84189</a>)</li>
<li>release pr run (<a
href="proxy.php?url=https://github.com/axios/axios/commit/fd7f404488b2c4f238c2fbe635b58026a634bfd2">fd7f404</a>)</li>
<li><strong>types:</strong> change the type guard on isCancel (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5595">#5595</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/0dbb7fd4f61dc568498cd13a681fa7f907d6ec7e">0dbb7fd</a>)</li>
</ul>
<h3>Features</h3>
<ul>
<li><strong>adapter:</strong> surface low‑level network error details;
attach original error via cause (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/6982">#6982</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/78b290c57c978ed2ab420b90d97350231c9e5d74">78b290c</a>)</li>
<li><strong>fetch:</strong> add fetch, Request, Response env config
variables for the adapter; (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/7003">#7003</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b">c959ff2</a>)</li>
<li>support reviver on JSON.parse (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5926">#5926</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/2a9763426e43d996fd60d01afe63fa6e1f5b4fca">2a97634</a>),
closes <a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5924">#5924</a></li>
<li><strong>types:</strong> extend AxiosResponse interface to include
custom headers type (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/6782">#6782</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/7960d34eded2de66ffd30b4687f8da0e46c4903e">7960d34</a>)</li>
</ul>
<h3>Contributors to this release</h3>
<ul>
<li><!-- raw HTML omitted --> <a
href="proxy.php?url=https://github.com/WillianAgostini" title="+132/-16760
([#7002](axios/axios#7002)
[#5926](axios/axios#5926)
[#6782](axios/axios#6782) )">Willian
Agostini</a></li>
<li><!-- raw HTML omitted --> <a
href="proxy.php?url=https://github.com/DigitalBrainJS" title="+4263/-293
([#7006](axios/axios#7006)
[#7003](axios/axios#7003) )">Dmitriy
Mozgovoy</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/mkhani01"
title="+111/-15 ([#6982](axios/axios#6982)
)">khani</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/AmeerAssadi"
title="+123/-0 ([#7011](axios/axios#7011)
)">Ameer Assadi</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/emiedonmokumo"
title="+55/-35 ([#6998](axios/axios#6998)
)">Emiedonmokumo Dick-Boro</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/opsysdebug"
title="+8/-8 ([#6980](axios/axios#6980)
)">Zeroday BYTE</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/jasonsaayman"
title="+7/-7 ([#6985](axios/axios#6985)
[#6985](axios/axios#6985) )">Jason
Saayman</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/HealGaren"
title="+5/-7 ([#5715](axios/axios#5715)
)">최예찬</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/gligorkot"
title="+3/-1 ([#5627](axios/axios#5627)
)">Gligor Kotushevski</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/adimit"
title="+2/-1 ([#5595](axios/axios#5595)
)">Aleksandar Dimitrov</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="proxy.php?url=https://github.com/axios/axios/blob/v1.x/CHANGELOG.md">axios's
changelog</a>.</em></p>
<blockquote>
<h1><a
href="proxy.php?url=https://github.com/axios/axios/compare/v1.11.0...v1.12.0">1.12.0</a>
(2025-09-11)</h1>
<h3>Bug Fixes</h3>
<ul>
<li>adding build artifacts (<a
href="proxy.php?url=https://github.com/axios/axios/commit/9ec86de257bfa33856571036279169f385ed92bd">9ec86de</a>)</li>
<li>dont add dist on release (<a
href="proxy.php?url=https://github.com/axios/axios/commit/a2edc3606a4f775d868a67bb3461ff18ce7ecd11">a2edc36</a>)</li>
<li><strong>fetch-adapter:</strong> set correct Content-Type for Node
FormData (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/6998">#6998</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/a9f47afbf3224d2ca987dbd8188789c7ea853c5d">a9f47af</a>)</li>
<li><strong>node:</strong> enforce maxContentLength for data: URLs (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/7011">#7011</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593">945435f</a>)</li>
<li>package exports (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5627">#5627</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/aa78ac23fc9036163308c0f6bd2bb885e7af3f36">aa78ac2</a>)</li>
<li><strong>params:</strong> removing '[' and ']' from URL encode
exclude characters (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/3316">#3316</a>)
(<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5715">#5715</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/6d84189349c43b1dcdd977b522610660cc4c7042">6d84189</a>)</li>
<li>release pr run (<a
href="proxy.php?url=https://github.com/axios/axios/commit/fd7f404488b2c4f238c2fbe635b58026a634bfd2">fd7f404</a>)</li>
<li><strong>types:</strong> change the type guard on isCancel (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5595">#5595</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/0dbb7fd4f61dc568498cd13a681fa7f907d6ec7e">0dbb7fd</a>)</li>
</ul>
<h3>Features</h3>
<ul>
<li><strong>adapter:</strong> surface low‑level network error details;
attach original error via cause (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/6982">#6982</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/78b290c57c978ed2ab420b90d97350231c9e5d74">78b290c</a>)</li>
<li><strong>fetch:</strong> add fetch, Request, Response env config
variables for the adapter; (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/7003">#7003</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b">c959ff2</a>)</li>
<li>support reviver on JSON.parse (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5926">#5926</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/2a9763426e43d996fd60d01afe63fa6e1f5b4fca">2a97634</a>),
closes <a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5924">#5924</a></li>
<li><strong>types:</strong> extend AxiosResponse interface to include
custom headers type (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/6782">#6782</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/7960d34eded2de66ffd30b4687f8da0e46c4903e">7960d34</a>)</li>
</ul>
<h3>Contributors to this release</h3>
<ul>
<li><!-- raw HTML omitted --> <a
href="proxy.php?url=https://github.com/WillianAgostini" title="+132/-16760
([#7002](axios/axios#7002)
[#5926](axios/axios#5926)
[#6782](axios/axios#6782) )">Willian
Agostini</a></li>
<li><!-- raw HTML omitted --> <a
href="proxy.php?url=https://github.com/DigitalBrainJS" title="+4263/-293
([#7006](axios/axios#7006)
[#7003](axios/axios#7003) )">Dmitriy
Mozgovoy</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/mkhani01"
title="+111/-15 ([#6982](axios/axios#6982)
)">khani</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/AmeerAssadi"
title="+123/-0 ([#7011](axios/axios#7011)
)">Ameer Assadi</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/emiedonmokumo"
title="+55/-35 ([#6998](axios/axios#6998)
)">Emiedonmokumo Dick-Boro</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/opsysdebug"
title="+8/-8 ([#6980](axios/axios#6980)
)">Zeroday BYTE</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/jasonsaayman"
title="+7/-7 ([#6985](axios/axios#6985)
[#6985](axios/axios#6985) )">Jason
Saayman</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/HealGaren"
title="+5/-7 ([#5715](axios/axios#5715)
)">최예찬</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/gligorkot"
title="+3/-1 ([#5627](axios/axios#5627)
)">Gligor Kotushevski</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/adimit"
title="+2/-1 ([#5595](axios/axios#5595)
)">Aleksandar Dimitrov</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/0d8ad6e1de0f5339e02bc262d6f0df4936974120"><code>0d8ad6e</code></a>
chore(release): v1.12.0 (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/7013">#7013</a>)</li>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/fd7f404488b2c4f238c2fbe635b58026a634bfd2"><code>fd7f404</code></a>
fix: release pr run</li>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/a2edc3606a4f775d868a67bb3461ff18ce7ecd11"><code>a2edc36</code></a>
fix: dont add dist on release</li>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/9ec86de257bfa33856571036279169f385ed92bd"><code>9ec86de</code></a>
fix: adding build artifacts</li>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593"><code>945435f</code></a>
fix(node): enforce maxContentLength for data: URLs (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/7011">#7011</a>)</li>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/28e5e3016d6ed0b3ec489427e4ec00133f45ddc2"><code>28e5e30</code></a>
chore(sponsor): update sponsor block (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/7005">#7005</a>)</li>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/d03f245a40ec016b190748a865cce9fe3815c903"><code>d03f245</code></a>
chore(CI): fixed release info script to use npm registry instead of git
as fi...</li>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/a0bc91137950f36a1f6b0a2a60d11fd7f245ff0e"><code>a0bc911</code></a>
chore: removing dist files from src (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/7002">#7002</a>)</li>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b"><code>c959ff2</code></a>
feat(fetch): add fetch, Request, Response env config variables for the
adapte...</li>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/a9f47afbf3224d2ca987dbd8188789c7ea853c5d"><code>a9f47af</code></a>
fix(fetch-adapter): set correct Content-Type for Node FormData (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/6998">#6998</a>)</li>
<li>Additional commits viewable in <a
href="proxy.php?url=https://github.com/axios/axios/compare/v1.11.0...v1.12.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=axios&package-manager=npm_and_yarn&previous-version=1.11.0&new-version=1.12.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
github-actions bot pushed a commit to evroon/bracket that referenced this pull request Sep 12, 2025
@dependabot
Bump axios from 1.11.0 to 1.12.0 in /frontend (#1342)
a2b4e3b 
Bumps [axios](https://github.com/axios/axios) from 1.11.0 to 1.12.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="proxy.php?url=https://github.com/axios/axios/releases">axios's
releases</a>.</em></p>
<blockquote>
<h2>Release v1.12.0</h2>
<h2>Release notes:</h2>
<h3>Bug Fixes</h3>
<ul>
<li>adding build artifacts (<a
href="proxy.php?url=https://github.com/axios/axios/commit/9ec86de257bfa33856571036279169f385ed92bd">9ec86de</a>)</li>
<li>dont add dist on release (<a
href="proxy.php?url=https://github.com/axios/axios/commit/a2edc3606a4f775d868a67bb3461ff18ce7ecd11">a2edc36</a>)</li>
<li><strong>fetch-adapter:</strong> set correct Content-Type for Node
FormData (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/6998">#6998</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/a9f47afbf3224d2ca987dbd8188789c7ea853c5d">a9f47af</a>)</li>
<li><strong>node:</strong> enforce maxContentLength for data: URLs (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/7011">#7011</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593">945435f</a>)</li>
<li>package exports (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5627">#5627</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/aa78ac23fc9036163308c0f6bd2bb885e7af3f36">aa78ac2</a>)</li>
<li><strong>params:</strong> removing '[' and ']' from URL encode
exclude characters (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/3316">#3316</a>)
(<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5715">#5715</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/6d84189349c43b1dcdd977b522610660cc4c7042">6d84189</a>)</li>
<li>release pr run (<a
href="proxy.php?url=https://github.com/axios/axios/commit/fd7f404488b2c4f238c2fbe635b58026a634bfd2">fd7f404</a>)</li>
<li><strong>types:</strong> change the type guard on isCancel (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5595">#5595</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/0dbb7fd4f61dc568498cd13a681fa7f907d6ec7e">0dbb7fd</a>)</li>
</ul>
<h3>Features</h3>
<ul>
<li><strong>adapter:</strong> surface low‑level network error details;
attach original error via cause (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/6982">#6982</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/78b290c57c978ed2ab420b90d97350231c9e5d74">78b290c</a>)</li>
<li><strong>fetch:</strong> add fetch, Request, Response env config
variables for the adapter; (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/7003">#7003</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b">c959ff2</a>)</li>
<li>support reviver on JSON.parse (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5926">#5926</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/2a9763426e43d996fd60d01afe63fa6e1f5b4fca">2a97634</a>),
closes <a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5924">#5924</a></li>
<li><strong>types:</strong> extend AxiosResponse interface to include
custom headers type (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/6782">#6782</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/7960d34eded2de66ffd30b4687f8da0e46c4903e">7960d34</a>)</li>
</ul>
<h3>Contributors to this release</h3>
<ul>
<li><!-- raw HTML omitted --> <a
href="proxy.php?url=https://github.com/WillianAgostini" title="+132/-16760
([#7002](axios/axios#7002)
[#5926](axios/axios#5926)
[#6782](axios/axios#6782) )">Willian
Agostini</a></li>
<li><!-- raw HTML omitted --> <a
href="proxy.php?url=https://github.com/DigitalBrainJS" title="+4263/-293
([#7006](axios/axios#7006)
[#7003](axios/axios#7003) )">Dmitriy
Mozgovoy</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/mkhani01"
title="+111/-15 ([#6982](axios/axios#6982)
)">khani</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/AmeerAssadi"
title="+123/-0 ([#7011](axios/axios#7011)
)">Ameer Assadi</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/emiedonmokumo"
title="+55/-35 ([#6998](axios/axios#6998)
)">Emiedonmokumo Dick-Boro</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/opsysdebug"
title="+8/-8 ([#6980](axios/axios#6980)
)">Zeroday BYTE</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/jasonsaayman"
title="+7/-7 ([#6985](axios/axios#6985)
[#6985](axios/axios#6985) )">Jason
Saayman</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/HealGaren"
title="+5/-7 ([#5715](axios/axios#5715)
)">최예찬</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/gligorkot"
title="+3/-1 ([#5627](axios/axios#5627)
)">Gligor Kotushevski</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/adimit"
title="+2/-1 ([#5595](axios/axios#5595)
)">Aleksandar Dimitrov</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="proxy.php?url=https://github.com/axios/axios/blob/v1.x/CHANGELOG.md">axios's
changelog</a>.</em></p>
<blockquote>
<h1><a
href="proxy.php?url=https://github.com/axios/axios/compare/v1.11.0...v1.12.0">1.12.0</a>
(2025-09-11)</h1>
<h3>Bug Fixes</h3>
<ul>
<li>adding build artifacts (<a
href="proxy.php?url=https://github.com/axios/axios/commit/9ec86de257bfa33856571036279169f385ed92bd">9ec86de</a>)</li>
<li>dont add dist on release (<a
href="proxy.php?url=https://github.com/axios/axios/commit/a2edc3606a4f775d868a67bb3461ff18ce7ecd11">a2edc36</a>)</li>
<li><strong>fetch-adapter:</strong> set correct Content-Type for Node
FormData (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/6998">#6998</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/a9f47afbf3224d2ca987dbd8188789c7ea853c5d">a9f47af</a>)</li>
<li><strong>node:</strong> enforce maxContentLength for data: URLs (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/7011">#7011</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593">945435f</a>)</li>
<li>package exports (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5627">#5627</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/aa78ac23fc9036163308c0f6bd2bb885e7af3f36">aa78ac2</a>)</li>
<li><strong>params:</strong> removing '[' and ']' from URL encode
exclude characters (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/3316">#3316</a>)
(<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5715">#5715</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/6d84189349c43b1dcdd977b522610660cc4c7042">6d84189</a>)</li>
<li>release pr run (<a
href="proxy.php?url=https://github.com/axios/axios/commit/fd7f404488b2c4f238c2fbe635b58026a634bfd2">fd7f404</a>)</li>
<li><strong>types:</strong> change the type guard on isCancel (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5595">#5595</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/0dbb7fd4f61dc568498cd13a681fa7f907d6ec7e">0dbb7fd</a>)</li>
</ul>
<h3>Features</h3>
<ul>
<li><strong>adapter:</strong> surface low‑level network error details;
attach original error via cause (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/6982">#6982</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/78b290c57c978ed2ab420b90d97350231c9e5d74">78b290c</a>)</li>
<li><strong>fetch:</strong> add fetch, Request, Response env config
variables for the adapter; (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/7003">#7003</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b">c959ff2</a>)</li>
<li>support reviver on JSON.parse (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5926">#5926</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/2a9763426e43d996fd60d01afe63fa6e1f5b4fca">2a97634</a>),
closes <a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/5924">#5924</a></li>
<li><strong>types:</strong> extend AxiosResponse interface to include
custom headers type (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/6782">#6782</a>)
(<a
href="proxy.php?url=https://github.com/axios/axios/commit/7960d34eded2de66ffd30b4687f8da0e46c4903e">7960d34</a>)</li>
</ul>
<h3>Contributors to this release</h3>
<ul>
<li><!-- raw HTML omitted --> <a
href="proxy.php?url=https://github.com/WillianAgostini" title="+132/-16760
([#7002](axios/axios#7002)
[#5926](axios/axios#5926)
[#6782](axios/axios#6782) )">Willian
Agostini</a></li>
<li><!-- raw HTML omitted --> <a
href="proxy.php?url=https://github.com/DigitalBrainJS" title="+4263/-293
([#7006](axios/axios#7006)
[#7003](axios/axios#7003) )">Dmitriy
Mozgovoy</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/mkhani01"
title="+111/-15 ([#6982](axios/axios#6982)
)">khani</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/AmeerAssadi"
title="+123/-0 ([#7011](axios/axios#7011)
)">Ameer Assadi</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/emiedonmokumo"
title="+55/-35 ([#6998](axios/axios#6998)
)">Emiedonmokumo Dick-Boro</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/opsysdebug"
title="+8/-8 ([#6980](axios/axios#6980)
)">Zeroday BYTE</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/jasonsaayman"
title="+7/-7 ([#6985](axios/axios#6985)
[#6985](axios/axios#6985) )">Jason
Saayman</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/HealGaren"
title="+5/-7 ([#5715](axios/axios#5715)
)">최예찬</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/gligorkot"
title="+3/-1 ([#5627](axios/axios#5627)
)">Gligor Kotushevski</a></li>
<li><!-- raw HTML omitted --> <a href="proxy.php?url=https://github.com/adimit"
title="+2/-1 ([#5595](axios/axios#5595)
)">Aleksandar Dimitrov</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/0d8ad6e1de0f5339e02bc262d6f0df4936974120"><code>0d8ad6e</code></a>
chore(release): v1.12.0 (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/7013">#7013</a>)</li>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/fd7f404488b2c4f238c2fbe635b58026a634bfd2"><code>fd7f404</code></a>
fix: release pr run</li>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/a2edc3606a4f775d868a67bb3461ff18ce7ecd11"><code>a2edc36</code></a>
fix: dont add dist on release</li>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/9ec86de257bfa33856571036279169f385ed92bd"><code>9ec86de</code></a>
fix: adding build artifacts</li>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593"><code>945435f</code></a>
fix(node): enforce maxContentLength for data: URLs (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/7011">#7011</a>)</li>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/28e5e3016d6ed0b3ec489427e4ec00133f45ddc2"><code>28e5e30</code></a>
chore(sponsor): update sponsor block (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/7005">#7005</a>)</li>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/d03f245a40ec016b190748a865cce9fe3815c903"><code>d03f245</code></a>
chore(CI): fixed release info script to use npm registry instead of git
as fi...</li>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/a0bc91137950f36a1f6b0a2a60d11fd7f245ff0e"><code>a0bc911</code></a>
chore: removing dist files from src (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/7002">#7002</a>)</li>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b"><code>c959ff2</code></a>
feat(fetch): add fetch, Request, Response env config variables for the
adapte...</li>
<li><a
href="proxy.php?url=https://github.com/axios/axios/commit/a9f47afbf3224d2ca987dbd8188789c7ea853c5d"><code>a9f47af</code></a>
fix(fetch-adapter): set correct Content-Type for Node FormData (<a
href="proxy.php?url=https://redirect.github.com/axios/axios/issues/6998">#6998</a>)</li>
<li>Additional commits viewable in <a
href="proxy.php?url=https://github.com/axios/axios/compare/v1.11.0...v1.12.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=axios&package-manager=npm_and_yarn&previous-version=1.11.0&new-version=1.12.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@0RageAssassin 0RageAssassin mentioned this pull request Sep 12, 2025
Closed
@claude claude bot mentioned this pull request Sep 13, 2025
Closed
1 task
@diegonc
Copy link

diegonc commented Sep 13, 2025

Hello! Unfortunately I'm late to the party ☹️

But what's the point of estimating decoded byte length, here:

axios/lib/adapters/http.js

Line 243 in 945435f

const estimated = estimateDataURLDecodedBytes(dataUrl);

when the full URL is stored in a stirng variable, here:

axios/lib/adapters/http.js

Line 242 in 945435f

const dataUrl = String(config.url || fullPath || '');

Maybe I'm missing something, but wouldn't the DoS be triggered nonetheless by just extending the encoded URL?

@DigitalBrainJS
Copy link
Collaborator

DigitalBrainJS commented Sep 13, 2025

Maybe I'm missing something, but wouldn't the DoS be triggered nonetheless by just extending the encoded URL?

@diegonc Yes, but weaker. Reaching such a huge buffered string to the server code is already a security breach, and Axios plays a minor role here.

To be honest, this vulnerability feels far-fetched to me. If a backend developer somehow allowed a huge string with a data protocol to reach their backend, it would already be buffered in memory, so it almost doesn’t really matter whether Axios decodes it into a new buffer that’s 33% smaller. There is no exponential growth here, either in computing resources or memory. Axios does not accept a URL as a stream, so by the time the Axios call begins, the memory is already occupied by the URL string.

As there is no memory leak in Axios, the original string will be freed, and decoding is synchronous, so it’s not possible to overload the backend with memory through high concurrent requests. Yes, there will be a temporary spike in memory usage during decoding — roughly n + 0.66n — but that doesn’t change the overall result. If an attacker is able to send a 100 MB input string, what would stop them from sending 4 GB? Axios itself is not the problem here.

@diegonc
Copy link

diegonc commented Sep 13, 2025

Understood, thanks!

@AmeerAssadi
Copy link
Contributor Author

AmeerAssadi commented Sep 13, 2025

Hello! Unfortunately I'm late to the party ☹️

But what's the point of estimating decoded byte length, here:

axios/lib/adapters/http.js

Line 243 in 945435f

const estimated = estimateDataURLDecodedBytes(dataUrl);

when the full URL is stored in a stirng variable, here:

axios/lib/adapters/http.js

Line 242 in 945435f

const dataUrl = String(config.url || fullPath || '');

Maybe I'm missing something, but wouldn't the DoS be triggered nonetheless by just extending the encoded URL?

The reason we estimate the decoded byte length is that the DoS doesn’t occur from the data: URI string itself JavaScript can handle very large strings in memory. The real risk comes when Axios calls Buffer.from() in fromDataURI, which allocates the fully decoded binary payload. At that point, a 100MB+ buffer can easily exhaust the process.

By estimating decoded size before decoding, Axios can enforce maxContentLength consistently (as it already does for HTTP/HTTPS responses) and reject oversized payloads early. This avoids the dangerous step of actually allocating the buffer and crashing the process.

@AmeerAssadi
Copy link
Contributor Author

AmeerAssadi commented Sep 13, 2025

Maybe I'm missing something, but wouldn't the DoS be triggered nonetheless by just extending the encoded URL?

@diegonc Yes, but weaker. Reaching such a huge buffered string to the server code is already a security breach, and Axios plays a minor role here.

To be honest, this vulnerability feels far-fetched to me. If a backend developer somehow allowed a huge string with a data protocol to reach their backend, it would already be buffered in memory, so it almost doesn’t really matter whether Axios decodes it into a new buffer that’s 33% smaller. There is no exponential growth here, either in computing resources or memory. Axios does not accept a URL as a stream, so by the time the Axios call begins, the memory is already occupied by the URL string.

As there is no memory leak in Axios, the original string will be freed, and decoding is synchronous, so it’s not possible to overload the backend with memory through high concurrent requests. Yes, there will be a temporary spike in memory usage during decoding — roughly n + 0.66n — but that doesn’t change the overall result. If an attacker is able to send a 100 MB input string, what would stop them from sending 4 GB? Axios itself is not the problem here.

You’re right that a data: URI arrives as a string first but the issue is that Axios silently bypassed its own safety controls (maxContentLength, maxBodyLength) and fully buffered the payload even when responseType: "stream" was requested.
For developers this is unexpected: the same Axios config that protects against large HTTP responses offered no protection at all for data: URIs. That makes it a practical DoS vector in common cases like link preview services or proxies where user-supplied URLs are fetched.
The patch doesn’t make data: URIs cheap to handle, but it does close the gap by ensuring Axios applies size checks consistently across all supported protocols. That’s why it was assigned a CVE it’s about removing a surprising unsafe behavior that broke Axios own security model.

@PierreFritsch PierreFritsch mentioned this pull request Sep 15, 2025
Closed
@FeBe95 FeBe95 mentioned this pull request Sep 15, 2025
Merged
@PierreFritsch PierreFritsch mentioned this pull request Sep 19, 2025
Closed
7 tasks
@github-actions github-actions bot mentioned this pull request Sep 22, 2025
Open
@markus-moser markus-moser mentioned this pull request Sep 26, 2025
Merged
@github-actions github-actions bot mentioned this pull request Sep 30, 2025
Open
@claude claude bot mentioned this pull request Oct 1, 2025
Closed
@gardera-security gardera-security bot mentioned this pull request Oct 22, 2025
Open
This was referenced Oct 27, 2025
Closed
Open
@zhonglin88 zhonglin88 mentioned this pull request Jan 20, 2026
Open
This was referenced Jan 25, 2026
Closed
Closed
Closed
Closed
Closed
Open
This was referenced Feb 23, 2026
Closed
Closed
This was referenced Feb 23, 2026
Closed
Closed
This was referenced Feb 23, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jasonsaayman jasonsaayman jasonsaayman approved these changes

@DigitalBrainJS DigitalBrainJS DigitalBrainJS approved these changes

Assignees

@AmeerAssadi AmeerAssadi

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@AmeerAssadi @diegonc @DigitalBrainJS @jasonsaayman