chore(monorepo): update pnpm-workspace.overrides follow-redirects to >=1.16.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
follow-redirects	>=1.15.9 → >=1.16.0

---

follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets

GHSA-r4q5-vmmm-2653

More information

Details

Summary

When an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js:469-476). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target.

Since follow-redirects is the redirect-handling dependency for axios (105K+ stars), this vulnerability affects the entire axios ecosystem.

Affected Code

index.js, lines 469-476:

if (redirectUrl.protocol !== currentUrlParts.protocol &&
   redirectUrl.protocol !== "https:" ||
   redirectUrl.host !== currentHost &&
   !isSubdomain(redirectUrl.host, currentHost)) {
  removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i, this._options.headers);
}

The regex only matches authorization, proxy-authorization, and cookie. Custom headers like X-API-Key are not matched.

Attack Scenario

1. App uses axios with custom auth header: headers: { 'X-API-Key': 'sk-live-secret123' }
2. Server returns 302 Location: https://evil.com/steal
3. follow-redirects sends X-API-Key: sk-live-secret123 to evil.com
4. Attacker captures the API key

Impact

Any custom auth header set via axios leaks on cross-domain redirect. Extremely common pattern. Affects all axios users in Node.js.

Suggested Fix

Add a sensitiveHeaders option that users can extend, or strip ALL non-standard headers on cross-domain redirect.

Disclosure

Source code review, manually verified. Found 2026-03-20.

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-r4q5-vmmm-2653
• https://github.com/follow-redirects/follow-redirects/commit/844c4d302ac963d29bdb5dc1754ec7df3d70d7f9
• https://github.com/advisories/GHSA-r4q5-vmmm-2653

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

follow-redirects/follow-redirects (follow-redirects)

v1.16.0

Compare Source

v1.15.11

Compare Source

v1.15.10

Compare Source

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​swc/​helpers@​0.5.19
	@​storm-software/​tsconfig@​0.48.47
	@​storm-software/​cspell@​0.46.48
	@​storm-software/​markdownlint@​0.30.136
	@​storm-software/​prettier@​0.59.32
	@​storm-software/​tsdoc@​0.13.133
	@​storm-software/​testing-tools@​1.119.133
	@​storm-software/​pnpm-tools@​0.6.143
	@​storm-software/​untyped@​0.24.121
	@​storm-software/​cloudflare-tools@​0.71.108
	@​storm-software/​eslint@​0.170.0
	@​swc-node/​register@​1.11.1
	@​storm-software/​git-tools@​2.130.16
	@​storm-software/​workspace-tools@​1.295.34
	@​storm-software/​linting-tools@​1.133.9
	@​swc/​core@​1.15.8
	@​storm-software/​esbuild@​0.53.140
	@​storm-software/​config@​1.137.12
	@​storm-software/​config-tools@​1.189.58

View full report