chore(deps): update dependency axios to v1.7.4 [security] by renovate[bot] · Pull Request #12 · sky-dust-intelligence/langflow

renovate · 2024-06-05T23:38:43Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
axios (source)	`1.3.2` → `1.7.4`

Axios Cross-Site Request Forgery Vulnerability

CVE-2023-45857 / GHSA-wf5p-g6vw-rhxx

More information

Details

An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

Severity

CVSS Score: 6.5 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Server-Side Request Forgery in axios

CVE-2024-39338 / GHSA-8hc4-vh64-cxmj

More information

Details

axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

Severity

High

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

axios/axios (axios)

`v1.7.4`

Compare Source

Bug Fixes

examples: application crashed when navigating examples in browser (#5938) (1260ded)
missing word in SUPPORT_QUESTION.yml (#6757) (1f890b1)
utils: replace getRandomValues with crypto module (#6788) (23a25af)

Features

Add config for ignoring absolute URLs (#5902) (#6192) (32c7bcc)

Reverts

Revert "chore: expose fromDataToStream to be consumable (#6731)" (#6732) (1317261), closes #6731 #6732

BREAKING CHANGES

code relying on the above will now combine the URLs instead of prefer request URL
feat: add config option for allowing absolute URLs
fix: add default value for allowAbsoluteUrls in buildFullPath
fix: typo in flow control when setting allowAbsoluteUrls

Contributors to this release

1.7.9 (2024-12-04)

Reverts

Revert "fix(types): export CJS types from ESM (#6218)" (#6729) (c44d2f2), closes #6218 #6729

Contributors to this release

Jay

1.7.8 (2024-11-25)

Bug Fixes

allow passing a callback as paramsSerializer to buildURL (#6680) (eac4619)
core: fixed config merging bug (#6668) (5d99fe4)
fixed width form to not shrink after 'Send Request' button is clicked (#6644) (7ccd5fd)
http: add support for File objects as payload in http adapter (#6588) (#6605) (6841d8d)
http: fixed proxy-from-env module import (#5222) (12b3295)
http: use globalThis.TextEncoder when available (#6634) (df956d1)
ios11 breaks when build (#6608) (7638952)
types: add missing types for mergeConfig function (#6590) (00de614)
types: export CJS types from ESM (#6218) (c71811b)
updated stream aborted error message to be more clear (#6615) (cc3217a)
use URL API instead of DOM to fix a potential vulnerability warning; (#6714) (0a8d6e1)

Contributors to this release

1.7.7 (2024-08-31)

Bug Fixes

fetch: fix stream handling in Safari by fallback to using a stream reader instead of an async iterator; (#6584) (d198085)
http: fixed support for IPv6 literal strings in url (#5731) (364993f)

Contributors to this release

1.7.6 (2024-08-30)

Bug Fixes

fetch: fix content length calculation for FormData payload; (#6524) (085f568)
fetch: optimize signals composing logic; (#6582) (df9889b)

Contributors to this release

1.7.5 (2024-08-23)

Bug Fixes

adapter: fix undefined reference to hasBrowserEnv (#6572) (7004707)
core: add the missed implementation of AxiosError#status property; (#6573) (6700a8a)
core: fix ReferenceError: navigator is not defined for custom environments; (#6567) (fed1a4b)
fetch: fix credentials handling in Cloudflare workers (#6533) (550d885)

Contributors to this release

1.7.4 (2024-08-13)

Bug Fixes

sec: CVE-2024-39338 (#6539) (#6543) (6b6b605)
sec: disregard protocol-relative URL to remediate SSRF (#6539) (07a661a)

Contributors to this release

1.7.3 (2024-08-01)

Bug Fixes

adapter: fix progress event emitting; (#6518) (e3c76fc)
fetch: fix withCredentials request config (#6505) (85d4d0e)
xhr: return original config on errors from XHR adapter (#6515) (8966ee7)

Contributors to this release

1.7.2 (2024-05-21)

Bug Fixes

fetch: enhance fetch API detection; (#6413) (4f79aef)

Contributors to this release

Dmitriy Mozgovoy

1.7.1 (2024-05-20)

Bug Fixes

fetch: fixed ReferenceError issue when TextEncoder is not available in the environment; (#6410) (733f15f)

Contributors to this release

Dmitriy Mozgovoy

`v1.7.3`

Compare Source

Bug Fixes

examples: application crashed when navigating examples in browser (#5938) (1260ded)
missing word in SUPPORT_QUESTION.yml (#6757) (1f890b1)
utils: replace getRandomValues with crypto module (#6788) (23a25af)

Features

Add config for ignoring absolute URLs (#5902) (#6192) (32c7bcc)

Reverts

Revert "chore: expose fromDataToStream to be consumable (#6731)" (#6732) (1317261), closes #6731 #6732

BREAKING CHANGES

code relying on the above will now combine the URLs instead of prefer request URL
feat: add config option for allowing absolute URLs
fix: add default value for allowAbsoluteUrls in buildFullPath
fix: typo in flow control when setting allowAbsoluteUrls

Contributors to this release

1.7.9 (2024-12-04)

Reverts

Revert "fix(types): export CJS types from ESM (#6218)" (#6729) (c44d2f2), closes #6218 #6729

Contributors to this release

Jay

1.7.8 (2024-11-25)

Bug Fixes

allow passing a callback as paramsSerializer to buildURL (#6680) (eac4619)
core: fixed config merging bug (#6668) (5d99fe4)
fixed width form to not shrink after 'Send Request' button is clicked (#6644) (7ccd5fd)
http: add support for File objects as payload in http adapter (#6588) (#6605) (6841d8d)
http: fixed proxy-from-env module import (#5222) (12b3295)
http: use globalThis.TextEncoder when available (#6634) (df956d1)
ios11 breaks when build (#6608) (7638952)
types: add missing types for mergeConfig function (#6590) (00de614)
types: export CJS types from ESM (#6218) (c71811b)
updated stream aborted error message to be more clear (#6615) (cc3217a)
use URL API instead of DOM to fix a potential vulnerability warning; (#6714) (0a8d6e1)

Contributors to this release

1.7.7 (2024-08-31)

Bug Fixes

fetch: fix stream handling in Safari by fallback to using a stream reader instead of an async iterator; (#6584) (d198085)
http: fixed support for IPv6 literal strings in url (#5731) (364993f)

Contributors to this release

1.7.6 (2024-08-30)

Bug Fixes

fetch: fix content length calculation for FormData payload; (#6524) (085f568)
fetch: optimize signals composing logic; (#6582) (df9889b)

Contributors to this release

1.7.5 (2024-08-23)

Bug Fixes

adapter: fix undefined reference to hasBrowserEnv (#6572) (7004707)
core: add the missed implementation of AxiosError#status property; (#6573) (6700a8a)
core: fix ReferenceError: navigator is not defined for custom environments; (#6567) (fed1a4b)
fetch: fix credentials handling in Cloudflare workers (#6533) (550d885)

Contributors to this release

1.7.4 (2024-08-13)

Bug Fixes

sec: CVE-2024-39338 (#6539) (#6543) (6b6b605)
sec: disregard protocol-relative URL to remediate SSRF (#6539) (07a661a)

Contributors to this release

1.7.3 (2024-08-01)

Bug Fixes

adapter: fix progress event emitting; (#6518) (e3c76fc)
fetch: fix withCredentials request config (#6505) (85d4d0e)
xhr: return original config on errors from XHR adapter (#6515) (8966ee7)

Contributors to this release

1.7.2 (2024-05-21)

Bug Fixes

fetch: enhance fetch API detection; (#6413) (4f79aef)

Contributors to this release

Dmitriy Mozgovoy

1.7.1 (2024-05-20)

Bug Fixes

fetch: fixed ReferenceError issue when TextEncoder is not available in the environment; (#6410) (733f15f)

Contributors to this release

Dmitriy Mozgovoy

`v1.7.2`

Compare Source

Bug Fixes

examples: application crashed when navigating examples in browser (#5938) (1260ded)
missing word in SUPPORT_QUESTION.yml (#6757) (1f890b1)
utils: replace getRandomValues with crypto module (#6788) (23a25af)

Features

Add config for ignoring absolute URLs (#5902) (#6192) (32c7bcc)

Reverts

Revert "chore: expose fromDataToStream to be consumable (#6731)" (#6732) (1317261), closes #6731 #6732

BREAKING CHANGES

code relying on the above will now combine the URLs instead of prefer request URL
feat: add config option for allowing absolute URLs
fix: add default value for allowAbsoluteUrls in buildFullPath
fix: typo in flow control when setting allowAbsoluteUrls

Contributors to this release

1.7.9 (2024-12-04)

Reverts

Revert "fix(types): export CJS types from ESM (#6218)" (#6729) (c44d2f2), closes #6218 #6729

Contributors to this release

Jay

1.7.8 (2024-11-25)

Bug Fixes

allow passing a callback as paramsSerializer to buildURL (#6680) (eac4619)
core: fixed config merging bug (#6668) (5d99fe4)
fixed width form to not shrink after 'Send Request' button is clicked (#6644) (7ccd5fd)
http: add support for File objects as payload in http adapter (#6588) (#6605) (6841d8d)
http: fixed proxy-from-env module import (#5222) (12b3295)
http: use globalThis.TextEncoder when available (#6634) (df956d1)
ios11 breaks when build (#6608) (7638952)
types: add missing types for mergeConfig function (#6590) (00de614)
types: export CJS types from ESM (#6218) (c71811b)
updated stream aborted error message to be more clear (#6615) (cc3217a)
use URL API instead of DOM to fix a potential vulnerability warning; (#6714) (0a8d6e1)

Contributors to this release

1.7.7 (2024-08-31)

Bug Fixes

fetch: fix stream handling in Safari by fallback to using a stream reader instead of an async iterator; (#6584) (d198085)
http: fixed support for IPv6 literal strings in url (#5731) (364993f)

Contributors to this release

[1.7.6](h

✂ Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

cr-gpt · 2024-06-05T23:38:46Z