Bump the npm_and_yarn group across 7 directories with 13 updates

[dependabot]

Bumps the npm_and_yarn group with 1 update in the / directory: axios.
Bumps the npm_and_yarn group with 10 updates in the /examples/angular-example directory:

Package	From	To
@angular/compiler	19.2.14	19.2.18
@angular/core	19.2.14	19.2.20
flatted	3.3.3	3.4.2
follow-redirects	1.15.9	1.16.0
liquidjs	10.21.1	10.25.7
lodash	4.17.21	4.18.1
node-forge	1.3.1	1.4.0
path-to-regexp	0.1.12	0.1.13
serialize-javascript	6.0.2	7.0.5
picomatch	2.3.1	2.3.2
picomatch	4.0.2	4.0.4

Bumps the npm_and_yarn group with 4 updates in the /examples/nodejs-example directory: axios, picomatch, follow-redirects and lodash.
Bumps the npm_and_yarn group with 8 updates in the /examples/react-native-example directory:

Package	From	To
picomatch	2.3.1	2.3.2
brace-expansion	1.1.12	1.1.14
serialize-javascript	6.0.2	removed
flatted	3.3.3	3.4.2
follow-redirects	1.15.9	1.16.0
lodash	4.17.21	4.18.1
path-to-regexp	0.1.12	0.1.13
path-to-regexp	0.1.12	0.1.13
sjcl	1.0.8	1.0.9

Bumps the npm_and_yarn group with 3 updates in the /examples/web-example directory: axios, path-to-regexp and liquidjs.
Bumps the npm_and_yarn group with 2 updates in the /examples/webview-server directory: axios and path-to-regexp.
Bumps the npm_and_yarn group with 1 update in the /packages/wasm directory: axios.

Updates axios from 0.25.0 to 0.31.0

Release notes

Sourced from axios's releases.

v0.31.0

This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and zizmor scanning, resolves TypeScript typing issues in AxiosInstance, and fixes a performance regression in isEmptyObject().

🔒 Security Fixes

• Header Injection & Proxy Bypass: Backports v1 security hardening — sanitizes outgoing header values to strip invalid bytes, CRLF sequences, and boundary whitespace (including array values); adds proper NO_PROXY/no_proxy enforcement covering wildcards, explicit ports, loopback aliases (localhost, 127.0.0.1, ::1), bracketed IPv6, and trailing-dot hostnames. Proxy bypass is now checked before the proxy URL is parsed, and parsed.host is used for correct port and IPv6 handling. (#10688)

• CI Security: SHA-pins all actions and disables credential persistence in v0.x CI, introduces zizmor security scanning with SARIF upload to code scanning, adds an OIDC Trusted Publishing workflow with npm provenance attestations, and gates all publishes behind a required npm-publish GitHub Environment with configurable reviewer protections. (#10638, #10639, #10667)

🐛 Bug Fixes

• TypeScript — AxiosInstance Return Types: Fixes return types in AxiosInstance methods to correctly resolve to Promise<R> (matching AxiosPromise<T> semantics), and corrects the generic call signature so TypeScript properly enforces the response data type. TypeScript-only changes; no runtime impact. (#6253, #7328)

• Performance: Fixes a performance regression in isEmptyObject() that caused excessive computation when the argument was a large string. (#6484)

🔧 Maintenance & Chores

• Versioning & CI Workflow: Adds an automated versioning flow for v0.x, renames the CI workflow for consistency with the v1.x naming convention, and corrects the branch name reference in CI config. (#10690, #10691, #10692)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​nakataki17 (#6253)
• @​gmasclet (#6484)
• @​shaanmajid (#10638, #10639, #10667)
• @​ivan-churakov (#7328)

Full Changelog

Release notes - v0.30.3

This is a critical security maintenance release for the v0.x branch. It addresses a high-priority vulnerability involving prototype pollution that could lead to a Denial of Service (DoS).

Recommendation: All users currently on the 0.x release line should upgrade to this version immediately to ensure environment stability.

🛡️ Security Fixes

• Backport: Fix DoS via proto key in merge config
  • Patched a vulnerability where specifically crafted configuration objects using the proto key could cause a Denial of Service during the merge process. - by @​FeBe95 in [PR #7388](axios/axios#7388)

⚙️ Maintenance & CI

• CI Infrastructure Update
  • Updated Continuous Integration workflows for the v0.x branch to maintain long-term support and build reliability. - by @​jasonsaayman in [PR #7407](axios/axios#7407)

⚠️ Breaking Changes

Configuration Merging Behavior:

As part of the security fix, Axios now restricts the merging of the proto key within configuration objects. If your codebase relies on unconventional deep-merging patterns that target the object prototype via Axios config, those operations will now be blocked. This is a necessary change to prevent prototype pollution.

... (truncated)

Commits

• 5073eca chore: release v0.31.0 (#10697)
• b57eb1a ci: update branch name (#10692)
• 00ab2af refactor: change name to have a unified workflow (#10691)
• 9a66c09 chore: added a versioning flow (#10690)
• 03cdfc9 fix: backport the fixes from the v1 branch (#10688)
• 71be4e5 fix: return types in AxiosInstance methods should be Promise<R> (#6253)
• 62610f6 fix: fixed performance issue in isEmptyObject() (#6484)
• 68f97f7 ci: require npm-publish environment for releases (#10667)
• 58a6043 ci: add zizmor and harden v0.x CI (#10638)
• b560d41 ci: add OIDC publish workflow for v0.x (#10639)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.

Updates axios from 0.25.0 to 0.31.0

Release notes

Sourced from axios's releases.

v0.31.0

This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and zizmor scanning, resolves TypeScript typing issues in AxiosInstance, and fixes a performance regression in isEmptyObject().

🔒 Security Fixes

• Header Injection & Proxy Bypass: Backports v1 security hardening — sanitizes outgoing header values to strip invalid bytes, CRLF sequences, and boundary whitespace (including array values); adds proper NO_PROXY/no_proxy enforcement covering wildcards, explicit ports, loopback aliases (localhost, 127.0.0.1, ::1), bracketed IPv6, and trailing-dot hostnames. Proxy bypass is now checked before the proxy URL is parsed, and parsed.host is used for correct port and IPv6 handling. (#10688)

• CI Security: SHA-pins all actions and disables credential persistence in v0.x CI, introduces zizmor security scanning with SARIF upload to code scanning, adds an OIDC Trusted Publishing workflow with npm provenance attestations, and gates all publishes behind a required npm-publish GitHub Environment with configurable reviewer protections. (#10638, #10639, #10667)

🐛 Bug Fixes

• TypeScript — AxiosInstance Return Types: Fixes return types in AxiosInstance methods to correctly resolve to Promise<R> (matching AxiosPromise<T> semantics), and corrects the generic call signature so TypeScript properly enforces the response data type. TypeScript-only changes; no runtime impact. (#6253, #7328)

• Performance: Fixes a performance regression in isEmptyObject() that caused excessive computation when the argument was a large string. (#6484)

🔧 Maintenance & Chores

• Versioning & CI Workflow: Adds an automated versioning flow for v0.x, renames the CI workflow for consistency with the v1.x naming convention, and corrects the branch name reference in CI config. (#10690, #10691, #10692)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​nakataki17 (#6253)
• @​gmasclet (#6484)
• @​shaanmajid (#10638, #10639, #10667)
• @​ivan-churakov (#7328)

Full Changelog

Release notes - v0.30.3

This is a critical security maintenance release for the v0.x branch. It addresses a high-priority vulnerability involving prototype pollution that could lead to a Denial of Service (DoS).

Recommendation: All users currently on the 0.x release line should upgrade to this version immediately to ensure environment stability.

🛡️ Security Fixes

• Backport: Fix DoS via proto key in merge config
  • Patched a vulnerability where specifically crafted configuration objects using the proto key could cause a Denial of Service during the merge process. - by @​FeBe95 in [PR #7388](axios/axios#7388)

⚙️ Maintenance & CI

• CI Infrastructure Update
  • Updated Continuous Integration workflows for the v0.x branch to maintain long-term support and build reliability. - by @​jasonsaayman in [PR #7407](axios/axios#7407)

⚠️ Breaking Changes

Configuration Merging Behavior:

As part of the security fix, Axios now restricts the merging of the proto key within configuration objects. If your codebase relies on unconventional deep-merging patterns that target the object prototype via Axios config, those operations will now be blocked. This is a necessary change to prevent prototype pollution.

... (truncated)

Commits

• 5073eca chore: release v0.31.0 (#10697)
• b57eb1a ci: update branch name (#10692)
• 00ab2af refactor: change name to have a unified workflow (#10691)
• 9a66c09 chore: added a versioning flow (#10690)
• 03cdfc9 fix: backport the fixes from the v1 branch (#10688)
• 71be4e5 fix: return types in AxiosInstance methods should be Promise<R> (#6253)
• 62610f6 fix: fixed performance issue in isEmptyObject() (#6484)
• 68f97f7 ci: require npm-publish environment for releases (#10667)
• 58a6043 ci: add zizmor and harden v0.x CI (#10638)
• b560d41 ci: add OIDC publish workflow for v0.x (#10639)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.

Updates axios from 0.25.0 to 0.31.0

Release notes

Sourced from axios's releases.

v0.31.0

This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and zizmor scanning, resolves TypeScript typing issues in AxiosInstance, and fixes a performance regression in isEmptyObject().

🔒 Security Fixes

• Header Injection & Proxy Bypass: Backports v1 security hardening — sanitizes outgoing header values to strip invalid bytes, CRLF sequences, and boundary whitespace (including array values); adds proper NO_PROXY/no_proxy enforcement covering wildcards, explicit ports, loopback aliases (localhost, 127.0.0.1, ::1), bracketed IPv6, and trailing-dot hostnames. Proxy bypass is now checked before the proxy URL is parsed, and parsed.host is used for correct port and IPv6 handling. (#10688)

• CI Security: SHA-pins all actions and disables credential persistence in v0.x CI, introduces zizmor security scanning with SARIF upload to code scanning, adds an OIDC Trusted Publishing workflow with npm provenance attestations, and gates all publishes behind a required npm-publish GitHub Environment with configurable reviewer protections. (#10638, #10639, #10667)

🐛 Bug Fixes

• TypeScript — AxiosInstance Return Types: Fixes return types in AxiosInstance methods to correctly resolve to Promise<R> (matching AxiosPromise<T> semantics), and corrects the generic call signature so TypeScript properly enforces the response data type. TypeScript-only changes; no runtime impact. (#6253, #7328)

• Performance: Fixes a performance regression in isEmptyObject() that caused excessive computation when the argument was a large string. (#6484)

🔧 Maintenance & Chores

• Versioning & CI Workflow: Adds an automated versioning flow for v0.x, renames the CI workflow for consistency with the v1.x naming convention, and corrects the branch name reference in CI config. (#10690, #10691, #10692)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​nakataki17 (#6253)
• @​gmasclet (#6484)
• @​shaanmajid (#10638, #10639, #10667)
• @​ivan-churakov (#7328)

Full Changelog

Release notes - v0.30.3

This is a critical security maintenance release for the v0.x branch. It addresses a high-priority vulnerability involving prototype pollution that could lead to a Denial of Service (DoS).

Recommendation: All users currently on the 0.x release line should upgrade to this version immediately to ensure environment stability.

🛡️ Security Fixes

• Backport: Fix DoS via proto key in merge config
  • Patched a vulnerability where specifically crafted configuration objects using the proto key could cause a Denial of Service during the merge process. - by @​FeBe95 in [PR #7388](axios/axios#7388)

⚙️ Maintenance & CI

• CI Infrastructure Update
  • Updated Continuous Integration workflows for the v0.x branch to maintain long-term support and build reliability. - by @​jasonsaayman in [PR #7407](axios/axios#7407)

⚠️ Breaking Changes

Configuration Merging Behavior:

As part of the security fix, Axios now restricts the merging of the proto key within configuration objects. If your codebase relies on unconventional deep-merging patterns that target the object prototype via Axios config, those operations will now be blocked. This is a necessary change to prevent prototype pollution.

... (truncated)

Commits

• 5073eca chore: release v0.31.0 (#10697)
• b57eb1a ci: update branch name (#10692)
• 00ab2af refactor: change name to have a unified workflow (#10691)
• 9a66c09 chore: added a versioning flow (#10690)
• 03cdfc9 fix: backport the fixes from the v1 branch (#10688)
• 71be4e5 fix: return types in AxiosInstance methods should be Promise<R> (#6253)
• 62610f6 fix: fixed performance issue in isEmptyObject() (#6484)
• 68f97f7 ci: require npm-publish environment for releases (#10667)
• 58a6043 ci: add zizmor and harden v0.x CI (#10638)
• b560d41 ci: add OIDC publish workflow for v0.x (#10639)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.

Updates axios from 0.25.0 to 0.31.0

Release notes

Sourced from axios's releases.

v0.31.0

This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and zizmor scanning, resolves TypeScript typing issues in AxiosInstance, and fixes a performance regression in isEmptyObject().

🔒 Security Fixes

• Header Injection & Proxy Bypass: Backports v1 security hardening — sanitizes outgoing header values to strip invalid bytes, CRLF sequences, and boundary whitespace (including array values); adds proper NO_PROXY/no_proxy enforcement covering wildcards, explicit ports, loopback aliases (localhost, 127.0.0.1, ::1), bracketed IPv6, and trailing-dot hostnames. Proxy bypass is now checked before the proxy URL is parsed, and parsed.host is used for correct port and IPv6 handling. (#10688)

• CI Security: SHA-pins all actions and disables credential persistence in v0.x CI, introduces zizmor security scanning with SARIF upload to code scanning, adds an OIDC Trusted Publishing workflow with npm provenance attestations, and gates all publishes behind a required npm-publish GitHub Environment with configurable reviewer protections. (#10638, #10639, #10667)

🐛 Bug Fixes

• TypeScript — AxiosInstance Return Types: Fixes return types in AxiosInstance methods to correctly resolve to Promise<R> (matching AxiosPromise<T> semantics), and corrects the generic call signature so TypeScript properly enforces the response data type. TypeScript-only changes; no runtime impact. (#6253, #7328)

• Performance: Fixes a performance regression in isEmptyObject() that caused excessive computation when the argument was a large string. (#6484)

🔧 Maintenance & Chores

• Versioning & CI Workflow: Adds an automated versioning flow for v0.x, renames the CI workflow for consistency with the v1.x naming convention, and corrects the branch name reference in CI config. (#10690, #10691, #10692)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​nakataki17 (#6253)
• @​gmasclet (#6484)
• @​shaanmajid (#10638, #10639, #10667)
• @​ivan-churakov (#7328)

Full Changelog

Release notes - v0.30.3

This is a critical security maintenance release for the v0.x branch. It addresses a high-priority vulnerability involving prototype pollution that could lead to a Denial of Service (DoS).

Recommendation: All users currently on the 0.x release line should upgrade to this version immediately to ensure environment stability.

🛡️ Security Fixes

• Backport: Fix DoS via proto key in merge config
  • Patched a vulnerability where specifically crafted configuration objects using the proto key could cause a Denial of Service during the merge process. - by @​FeBe95 in [PR #7388](axios/axios#7388)

⚙️ Maintenance & CI

• CI Infrastructure Update
  • Updated Continuous Integration workflows for the v0.x branch to maintain long-term support and build reliability. - by @​jasonsaayman in [PR #7407](axios/axios#7407)

⚠️ Breaking Changes

Configuration Merging Behavior:

As part of the security fix, Axios now restricts the merging of the proto key within configuration objects. If your codebase relies on unconventional deep-merging patterns that target the object prototype via Axios config, those operations will now be blocked. This is a necessary change to prevent prototype pollution.

... (truncated)

Commits

• 5073eca chore: release v0.31.0 (#10697)
• b57eb1a ci: update branch name (#10692)
• 00ab2af refactor: change name to have a unified workflow (#10691)
• 9a66c09 chore: added a versioning flow (#10690)
• 03cdfc9 fix: backport the fixes from the v1 branch (#10688)
• 71be4e5 fix: return types in AxiosInstance methods should be Promise<R> (#6253)
• 62610f6 fix: fixed performance issue in isEmptyObject() (#6484)
• 68f97f7 ci: require npm-publish environment for releases (#10667)
• 58a6043 ci: add zizmor and harden v0.x CI (#10638)
• b560d41 ci: add OIDC publish workflow for v0.x (#10639)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.

Updates axios from 0.25.0 to 0.31.0

Release notes

Sourced from axios's releases.

v0.31.0

This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and zizmor scanning, resolves TypeScript typing issues in AxiosInstance, and fixes a performance regression in isEmptyObject().

🔒 Security Fixes

• Header Injection & Proxy Bypass: Backports v1 security hardening — sanitizes outgoing header values to strip invalid bytes, CRLF sequences, and boundary whitespace (including array values); adds proper NO_PROXY/no_proxy enforcement covering wildcards, explicit ports, loopback aliases (localhost, 127.0.0.1, ::1), bracketed IPv6, and trailing-dot hostnames. Proxy bypass is now checked before the proxy URL is parsed, and parsed.host is used for correct port and IPv6 handling. (#10688)

• CI Security: SHA-pins all actions and disables credential persistence in v0.x CI, introduces zizmor security scanning with SARIF upload to code scanning, adds an OIDC Trusted Publishing workflow with npm provenance attestations, and gates all publishes behind a required npm-publish GitHub Environment with configurable reviewer protections. (#10638, #10639, #10667)

🐛 Bug Fixes

• TypeScript — AxiosInstance Return Types: Fixes return types in AxiosInstance methods to correctly resolve to Promise<R> (matching AxiosPromise<T> semantics), and corrects the generic call signature so TypeScript properly enforces the response data type. TypeScript-only changes; no runtime impact. (#6253, #7328)

• Performance: Fixes a performance regression in isEmptyObject() that caused excessive computation when the argument was a large string. (#6484)

🔧 Maintenance & Chores

• Versioning & CI Workflow: Adds an automated versioning flow for v0.x, renames the CI workflow for consistency with the v1.x naming convention, and corrects the branch name reference in CI config. (#10690, #10691, #10692)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​nakataki17 (#6253)
• @​gmasclet (#6484)
• @​shaanmajid (#10638, #10639, #10667)
• @​ivan-churakov (#7328)

Full Changelog

Release notes - v0.30.3

This is a critical security maintenance release for the v0.x branch. It addresses a high-priority vulnerability involving prototype pollution that could lead to a Denial of Service (DoS).

Recommendation: All users currently on the 0.x release line should upgrade to this version immediately to ensure environment stability.

🛡️ Security Fixes

• Backport: Fix DoS via proto key in merge config
  • Patched a vulnerability where specifically crafted configuration objects using the proto key could cause a Denial of Service during the merge process. - by @​FeBe95 in [PR #7388](axios/axios#7388)

⚙️ Maintenance & CI

• CI Infrastructure Update
  • Updated Continuous Integration workflows for the v0.x branch to maintain long-term support and build reliability. - by @​jasonsaayman in [PR #7407](axios/axios#7407)

⚠️ Breaking Changes

Configuration Merging Behavior:

As part of the security fix, Axios now restricts the merging of the proto key within configuration objects. If your codebase relies on unconventional deep-merging patterns that target the object prototype via Axios config, those operations will now be blocked. This is a necessary change to prevent prototype pollution.

... (truncated)

Commits

• 5073eca chore: release v0.31.0 (#10697)
• b57eb1a ci: update branch name (#10692)
• 00ab2af refactor: change name to have a unified workflow (#10691)
• 9a66c09 chore: added a versioning flow (#10690)
• 03cdfc9 fix: backport the fixes from the v1 branch (#10688)
• 71be4e5 fix: return types in AxiosInstance methods should be Promise<R> (#6253)
• 62610f6 fix: fixed performance issue in isEmptyObject() (#6484)
• 68f97f7 ci: require npm-publish environment for releases (#10667)
• 58a6043 ci: add zizmor and harden v0.x CI (#10638)
• b560d41 ci: add OIDC publish workflow for v0.x (#10639)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.

Updates axios from 0.25.0 to 0.31.0

Release notes

Sourced from axios's releases.

v0.31.0

This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and zizmor scanning, resolves TypeScript typing issues in AxiosInstance, and fixes a performance regression in isEmptyObject().

🔒 Security Fixes

• Header Injection & Proxy Bypass: Backports v1 security hardening — sanitizes outgoing header values to strip invalid bytes, CRLF sequences, and boundary whitespace (including array values); adds proper NO_PROXY/no_proxy enforcement covering wildcards, explicit ports, loopback aliases (localhost, 127.0.0.1, ::1), bracketed IPv6, and trailing-dot hostnames. Proxy bypass is now checked before the proxy URL is parsed, and parsed.host is used for correct port and IPv6 handling. (#10688)

• CI Security: SHA-pins all actions and disables credential persistence in v0.x CI, introduces zizmor security scanning with SARIF upload to code scanning, adds an OIDC Trusted Publishing workflow with npm provenance attestations, and gates all publishes behind a required npm-publish GitHub Environment with configurable reviewer protections. (#10638, #10639, #10667)

🐛 Bug Fixes

• TypeScript — AxiosInstance Return Types: Fixes return types in AxiosInstance methods to correctly resolve to Promise<R> (matching AxiosPromise<T> semantics), and corrects the generic call signature so TypeScript properly enforces the response data type. TypeScript-only changes; no runtime impact. (#6253, #7328)

• Performance: Fixes a performance regression in isEmptyObject() that caused excessive computation when the argument was a large string. (#6484)

🔧 Maintenance & Chores

• Versioning & CI Workflow: Adds an automated versioning flow for v0.x, renames the CI workflow for consistency with the v1.x naming convention, and corrects the branch name reference in CI config. (#10690, #10691, #10692)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​nakataki17 (#6253)
• @​gmasclet (#6484)
• @​shaanmajid (#10638, #10639, #10667)
• @​ivan-churakov (#7328)

Full Changelog

Release notes - v0.30.3

This is a critical security maintenance release for the v0.x branch. It addresses a high-priority vulnerability involving prototype pollution that could lead to a Denial of Service (DoS).

Recommendation: All users currently on the 0.x release line should upgrade to this version immediately to ensure environment stability.

🛡️ Security Fixes

• Backport: Fix DoS via proto key in merge config
  • Patched a vulnerability where specifically crafted configuration objects using the proto key could cause a Denial of Service during the merge process. - by @​FeBe95 in [PR #7388](axios/axios#7388)

⚙️ Maintenance & CI

• CI Infrastructure Update
  • Updated Continuous Integration workflows for the v0.x branch to maintain long-term support and build reliability. - by @​jasonsaayman in [PR #7407](axios/axios#7407)

⚠️ Breaking Changes

Configuration Merging Behavior:

As part of the security fix, Axios now restricts the merging of the proto key within configuration objects. If your codebase relies on unconventional deep-merging patterns that target the object prototype via Axios config, those operations will now be blocked. This is a necessary change to prevent prototype pollution.

... (truncated)

Commits

• 5073eca chore: release v0.31.0 (#10697)
• b57eb1a ci: update branch name (#10692)
• 00ab2af refactor: change name to have a unified workflow (#10691)
• 9a66c09 chore: added a versioning flow (#10690)
• 03cdfc9 fix: backport the fixes from the v1 branch (#10688)
• 71be4e5 fix: return types in AxiosInstance methods should be Promise<R> (#6253)
• 62610f6 fix: fixed performance issue in isEmptyObject() (#6484)
• 68f97f7 ci: require npm-publish environment for releases (#10667)
• 58a6043 ci: add zizmor and harden v0.x CI (#10638)
• b560d41 ci: add OIDC publish workflow for v0.x (#10639)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.

Updates axios from 0.25.0 to 0.31.0

Release notes

Sourced from axios's releases.

v0.31.0

This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and zizmor scanning, resolves TypeScript typing issues in AxiosInstance, and fixes a performance regression in isEmptyObject().

🔒 Security Fixes

• Header Injection & Proxy Bypass: Backports v1 security hardening — sanitizes outgoing header values to strip invalid bytes, CRLF sequences, and boundary whitespace (including array values); adds proper NO_PROXY/no_proxy enforcement covering wildcards, explicit ports, loopback aliases (localhost, 127.0.0.1, ::1), bracketed IPv6, and trailing-dot hostnames. Proxy bypass is now checked before the proxy URL is parsed, and parsed.host is used for correct port and IPv6 handling. (#10688)

• CI Security: SHA-pins all actions and disables credential persistence in v0.x CI, introduces zizmor security scanning with SARIF upload to code scanning, adds an OIDC Trusted Publishing workflow with npm provenance attestations, and gates all publishes behind a required npm-publish GitHub Environment with configurable reviewer protections. (#10638, #10639, #10667)

🐛 Bug Fixes

• TypeScript — AxiosInstance Return Types: Fixes return types in AxiosInstance methods to correctly resolve to Promise<R> (matching AxiosPromise<T> semantics), and corrects the generic call signature so TypeScript properly enforces the response data type. TypeScript-only changes; no runtime impact. (#6253, #7328)

• Performance: Fixes a performance regression in isEmptyObject() that caused excessive computation when the argument was a large string. (#6484)

🔧 Maintenance & Chores

• Versioning & CI Workflow: Adds an automated versioning flow for v0.x, renames the CI workflow for consistency with the v1.x naming convention, and corrects the branch name reference in CI config. (#10690, #10691, #10692)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​nakataki17 (#6253)
• @​gmasclet (#6484)
• @​shaanmajid (#10638, #10639, #10667)
• @​ivan-churakov (#7328)

Full Changelog

Release notes - v0.30.3

This is a critical security maintenance release for the v0.x branch. It addresses a high-priority vulnerability involving prototype pollution that could lead to a Denial of Service (DoS).

Recommendation: All users currently on the 0.x release line should upgrade to this version immediately to ensure environment stability.

🛡️ Security Fixes

• Backport: Fix DoS via proto key in merge config
  • Patched a vulnerability where specifically crafted configuration objects using the proto key could cause a Denial of Service during the merge process. - by @​FeBe95 in [PR #7388](axios/axios#7388)

⚙️ Maintenance & CI

• CI Infrastructure Update
  • Updated Continuous Integration workflows for the v0.x branch to maintain long-term support and build reliability. - by @​jasonsaayman in [PR #7407](axios/axios#7407)

⚠️ Breaking Changes

Configuration Merging Behavior:

As part of the security fix, Axios now restricts the merging of the proto key within configuration objects. If your codebase relies on unconventional deep-merging patterns that target the object prototype via Axios config, those operations will now be blocked. This is a necessary change to prevent prototype pollution.

... (truncated)

Commits

• 5073eca chore: release v0.31.0 (#10697)
• b57eb1a ci: update branch name (#10692)
• 00ab2af refactor: change name to have a unified workflow (#10691)
• 9a66c09 chore: added a versioning flow (#10690)

[dependabot]

Superseded by #528.