[Snyk] Upgrade axios from 1.3.4 to 1.13.4

[snyk-io]

Snyk has created this PR to upgrade axios from 1.3.4 to 1.13.4.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 43 versions ahead of your current version.

• The recommended version was released 22 days ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Prototype Pollution SNYK-JS-AXIOS-15252993	111	Proof of Concept
	Cross-site Request Forgery (CSRF) SNYK-JS-AXIOS-6032459	111	Proof of Concept
	Prototype Pollution SNYK-JS-AXIOS-6144788	111	No Known Exploit
	Server-side Request Forgery (SSRF) SNYK-JS-AXIOS-7361793	111	Proof of Concept
	Improper Handling of Extra Parameters SNYK-JS-FOLLOWREDIRECTS-6141137	111	Proof of Concept
	Allocation of Resources Without Limits or Throttling SNYK-JS-AXIOS-12613773	111	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-6124857	111	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-AXIOS-9292519	111	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-AXIOS-9403194	111	No Known Exploit
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-6444610	111	Proof of Concept
	Predictable Value Range from Previous Values SNYK-JS-FORMDATA-10841150	111	Proof of Concept
	Improper Input Validation SNYK-JS-NANOID-8492085	111	No Known Exploit
	Improper Input Validation SNYK-JS-POSTCSS-5926692	111	No Known Exploit

Breaking Change Risk

Notice: This assessment is enhanced by AI.

Release notes

Package name: axios

• 1.13.4 - 2026-01-27
  

  Overview

  The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

  Full Changelog: v1.13.3...v1.13.4

  What's New in v1.13.4

  Bug Fixes

  • fix: issues with version 1.13.3 (#7352) (ee90dfc)
    • Fixed issues discovered in v1.13.3 release
    • Cleaned up interceptor test files
    • Improved workflow configurations

  Infrastructure & CI/CD

  • refactor: ci and build (#7340) (8ff6c19)

    • Major refactoring of CI/CD workflows
    • Consolidated workflow files for better maintainability
    • Added mise configuration for the development environment
    • Improved sponsor block update automation
    • Enhanced issue and PR templates
    • Added automatic release notes generation
    • Implemented workflow cancellation for concurrent runs

  • chore: codegen and some updates to workflows (76cf77b)

    • Code generation improvements
    • Workflow optimisations

  Migration Notes

  Breaking Changes

  None in this release.

  Deprecations

  None in this release.

  Contributors

  Thank you to all contributors who made this release possible! Special thanks to:

  • jasonsaayman - Release management and CI/CD improvements
• 1.13.3 - 2026-01-25
  

  Release notes:

  Bug Fixes

  • http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
  • interceptor: handle the error in the same interceptor (#6269) (5945e40)
  • main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
  • package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
  • silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
  • turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
  • types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
  • types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
  • unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

  Features

  • add undefined as a value in AxiosRequestConfig (#5560) (095033c)
  • add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
  • add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
  • added copilot instructions (3f83143)
  • compatibility with frozen prototypes (#6265) (860e033)
  • enhance pipeFileToResponse with error handling (#7169) (88d7884)
  • types: Intellisense for string literals in a widened union (#6134) (f73474d), closes /github.com/microsoft/TypeScript/issues/33471#issuecomment-1376364329

  Reverts

  • Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
  • deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

  Contributors to this release

  • Ashvin Tiwari
  • Nikunj Mochi
  • Anchal Singh
  • jasonsaayman
  • Julian Dax
  • Akash Dhar Dubey
  • Madhumita
  • Tackoil
  • Justin Dhillon
  • Rudransh
  • WuMingDao
  • codenomnom
  • Nandan Acharya
  • Eric Dubé
  • Tibor Pilz
  • Gabriel Quaresma
  • Turadg Aleahmad
  • JohnTitor
  • rohit miryala
  • Wilson Mun
  • techcodie
  • Ved Vadnere
  • svihpinc
  • SANDESH LENDVE
  • Lubos
  • Jarred Sumner
  • Adam Hines
  • Subhan Kumar Rai
  • Joseph Frazier
  • KT0803
  • Albie
  • Jake Hayes
• 1.13.2 - 2025-11-04
  

  Release notes:

  Bug Fixes

  • http: fix 'socket hang up' bug for keep-alive requests when using timeouts; (#7206) (8d37233)
  • http: use default export for http2 module to support stubs; (#7196) (0588880)

  Performance Improvements

  • http: fix early loop exit; (#7202) (12c314b)

  Contributors to this release

  • Dmitriy Mozgovoy
  • Kasper Isager Dalsgarð
• 1.13.1 - 2025-10-28
  

  Release notes:

  Bug Fixes

  • http: fixed a regression that caused the data stream to be interrupted for responses with non-OK HTTP statuses; (#7193) (bcd5581)

  Contributors to this release

  • Anchal Singh
  • Dmitriy Mozgovoy
• 1.13.0 - 2025-10-27
  

  Release notes:

  Bug Fixes

  • fetch: prevent TypeError when config.env is undefined (#7155) (015faec)
  • resolve issue #7131 (added spacing in mergeConfig.js) (#7133) (9b9ec98)

  Features

  • http: add HTTP2 support; (#7150) (d676df7)

  Contributors to this release

  • Dmitriy Mozgovoy
  • Noritaka Kobayashi
  • Aviraj2929
  • prasoon patel
  • Samyak Dandge
  • Anchal Singh
  • Rahul Kumar
  • Amit Verma
  • Abhishek3880
  • Dhvani Maktuporia
  • Usama Ayoub
  • ikuy1203
  • Nikhil Simon Toppo
  • Jane Wangari
  • Supakorn Ieamgomol
  • Kian-Meng Ang
  • UTSUMI Keiji
• 1.12.2 - 2025-09-14
  

  Release notes:

  Bug Fixes

  • fetch: use current global fetch instead of cached one when env fetch is not specified to keep MSW support; (#7030) (cf78825)

  Contributors to this release

  • Dmitriy Mozgovoy
  • Noritaka Kobayashi
• 1.12.1 - 2025-09-12
  

  Release notes:

  Bug Fixes

  • types: fixed env config types; (#7020) (b5f26b7)

  Contributors to this release

  • Dmitriy Mozgovoy
• 1.12.0 - 2025-09-11
  

  Release notes:

  Bug Fixes

  • adding build artifacts (9ec86de)
  • dont add dist on release (a2edc36)
  • fetch-adapter: set correct Content-Type for Node FormData (#6998) (a9f47af)
  • node: enforce maxContentLength for data: URLs (#7011) (945435f)
  • package exports (#5627) (aa78ac2)
  • params: removing '[' and ']' from URL encode exclude characters (#3316) (#5715) (6d84189)
  • release pr run (fd7f404)
  • types: change the type guard on isCancel (#5595) (0dbb7fd)

  Features

  • adapter: surface low‑level network error details; attach original error via cause (#6982) (78b290c)
  • fetch: add fetch, Request, Response env config variables for the adapter; (#7003) (c959ff2)
  • support reviver on JSON.parse (#5926) (2a97634), closes #5924
  • types: extend AxiosResponse interface to include custom headers type (#6782) (7960d34)

  Contributors to this release

  • Willian Agostini
  • Dmitriy Mozgovoy
  • khani
  • Ameer Assadi
  • Emiedonmokumo Dick-Boro
  • Zeroday BYTE
  • Jason Saayman
  • 최예찬
  • Gligor Kotushevski
  • Aleksandar Dimitrov
• 1.11.0 - 2025-07-23
• 1.10.0 - 2025-06-14
• 1.9.0 - 2025-04-24
• 1.8.4 - 2025-03-19
• 1.8.3 - 2025-03-12
• 1.8.2 - 2025-03-07
• 1.8.1 - 2025-02-26
• 1.8.0 - 2025-02-26
• 1.7.9 - 2024-12-04
• 1.7.8 - 2024-11-25
• 1.7.7 - 2024-08-31
• 1.7.6 - 2024-08-30
• 1.7.5 - 2024-08-23
• 1.7.4 - 2024-08-13
• 1.7.3 - 2024-08-01
• 1.7.2 - 2024-05-21
• 1.7.1 - 2024-05-20
• 1.7.0 - 2024-05-19
• 1.7.0-beta.2 - 2024-05-19
• 1.7.0-beta.1 - 2024-05-07
• 1.7.0-beta.0 - 2024-04-28
• 1.6.8 - 2024-03-15
• 1.6.7 - 2024-01-25
• 1.6.6 - 2024-01-24
• 1.6.5 - 2024-01-05
• 1.6.4 - 2024-01-03
• 1.6.3 - 2023-12-26
• 1.6.2 - 2023-11-14
• 1.6.1 - 2023-11-08
• 1.6.0 - 2023-10-26
• 1.5.1 - 2023-09-26
• 1.5.0 - 2023-08-26
• 1.4.0 - 2023-04-27
• 1.3.6 - 2023-04-19
• 1.3.5 - 2023-04-05
• 1.3.4 - 2023-02-22

from axios GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[snyk-io]

This is a minor version upgrade for axios from 1.3.4 to 1.13.4. The updates within this range consist of bug fixes, security patches, performance improvements, and new optional features. No breaking changes have been documented in the official release notes for this version span.

Key Changes:

• Includes multiple bug fixes related to HTTP/2, interceptors, and error handling.
• Adds new features and improvements, such as enhanced type definitions and compatibility with frozen prototypes.
• The release notes for the latest versions in this range explicitly state "Breaking Changes: None in this release".

This upgrade is considered safe with no mandatory code changes required.

Source: GitHub Releases

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.