fix(deps): update dependency axios [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
axios (source)	1.4.0 -> 1.7.4
axios (source)	0.27.2 -> 0.28.0

GitHub Vulnerability Alerts

CVE-2020-28168

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

CVE-2021-3749

axios before v0.21.2 is vulnerable to Inefficient Regular Expression Complexity.

CVE-2023-45857

An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

CVE-2024-39338

axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

---

Release Notes

axios/axios (axios)

v1.7.4

Compare Source

Bug Fixes

• examples: application crashed when navigating examples in browser (#​5938) (1260ded)
• missing word in SUPPORT_QUESTION.yml (#​6757) (1f890b1)
• utils: replace getRandomValues with crypto module (#​6788) (23a25af)

Features

• Add config for ignoring absolute URLs (#​5902) (#​6192) (32c7bcc)

Reverts

• Revert "chore: expose fromDataToStream to be consumable (#​6731)" (#​6732) (1317261), closes #​6731 #​6732

BREAKING CHANGES

• code relying on the above will now combine the URLs instead of prefer request URL

• feat: add config option for allowing absolute URLs

• fix: add default value for allowAbsoluteUrls in buildFullPath

• fix: typo in flow control when setting allowAbsoluteUrls

Contributors to this release

• Michael Toscano
• Willian Agostini
• Naron
• shravan || श्रvan
• Justin Dhillon
• yionr
• Shin'ya Ueoka
• Dan Dascalescu
• Nitin Ramnani
• Shay Molcho
• Jay
• fancy45daddy
• Habip Akyol
• Bailey Lissington
• Bernardo da Eira Duarte
• Shivam Batham
• Lipin Kariappa

1.7.9 (2024-12-04)

Reverts

• Revert "fix(types): export CJS types from ESM (#​6218)" (#​6729) (c44d2f2), closes #​6218 #​6729

Contributors to this release

• Jay

1.7.8 (2024-11-25)

Bug Fixes

• allow passing a callback as paramsSerializer to buildURL (#​6680) (eac4619)
• core: fixed config merging bug (#​6668) (5d99fe4)
• fixed width form to not shrink after 'Send Request' button is clicked (#​6644) (7ccd5fd)
• http: add support for File objects as payload in http adapter (#​6588) (#​6605) (6841d8d)
• http: fixed proxy-from-env module import (#​5222) (12b3295)
• http: use globalThis.TextEncoder when available (#​6634) (df956d1)
• ios11 breaks when build (#​6608) (7638952)
• types: add missing types for mergeConfig function (#​6590) (00de614)
• types: export CJS types from ESM (#​6218) (c71811b)
• updated stream aborted error message to be more clear (#​6615) (cc3217a)
• use URL API instead of DOM to fix a potential vulnerability warning; (#​6714) (0a8d6e1)

Contributors to this release

• Remco Haszing
• Jay
• Aayush Yadav
• Dmitriy Mozgovoy
• Ell Bradshaw
• Amit Saini
• Tommaso Paulon
• Akki
• Sampo Silvennoinen
• Kasper Isager Dalsgarð
• Christian Clauss
• Pavan Welihinda
• Taylor Flatt
• Kenzo Wada
• Ngole Lawson
• Haven
• Shrivali Dutt
• Henco Appel

1.7.7 (2024-08-31)

Bug Fixes

• fetch: fix stream handling in Safari by fallback to using a stream reader instead of an async iterator; (#​6584) (d198085)
• http: fixed support for IPv6 literal strings in url (#​5731) (364993f)

Contributors to this release

• Rishi556
• Dmitriy Mozgovoy

1.7.6 (2024-08-30)

Bug Fixes

• fetch: fix content length calculation for FormData payload; (#​6524) (085f568)
• fetch: optimize signals composing logic; (#​6582) (df9889b)

Contributors to this release

• Dmitriy Mozgovoy
• Jacques Germishuys
• kuroino721

1.7.5 (2024-08-23)

Bug Fixes

• adapter: fix undefined reference to hasBrowserEnv (#​6572) (7004707)
• core: add the missed implementation of AxiosError#status property; (#​6573) (6700a8a)
• core: fix ReferenceError: navigator is not defined for custom environments; (#​6567) (fed1a4b)
• fetch: fix credentials handling in Cloudflare workers (#​6533) (550d885)

Contributors to this release

• Dmitriy Mozgovoy
• Antonin Bas
• Hans Otto Wirtz

1.7.4 (2024-08-13)

Bug Fixes

• sec: CVE-2024-39338 (#​6539) (#​6543) (6b6b605)
• sec: disregard protocol-relative URL to remediate SSRF (#​6539) (07a661a)

Contributors to this release

• Lev Pachmanov
• Đỗ Trọng Hải

1.7.3 (2024-08-01)

Bug Fixes

• adapter: fix progress event emitting; (#​6518) (e3c76fc)
• fetch: fix withCredentials request config (#​6505) (85d4d0e)
• xhr: return original config on errors from XHR adapter (#​6515) (8966ee7)

Contributors to this release

• Dmitriy Mozgovoy
• Valerii Sidorenko
• prianYu

1.7.2 (2024-05-21)

Bug Fixes

• fetch: enhance fetch API detection; (#​6413) (4f79aef)

Contributors to this release

• Dmitriy Mozgovoy

1.7.1 (2024-05-20)

Bug Fixes

• fetch: fixed ReferenceError issue when TextEncoder is not available in the environment; (#​6410) (733f15f)

Contributors to this release

• Dmitriy Mozgovoy

v1.7.3

Compare Source

Bug Fixes

• examples: application crashed when navigating examples in browser (#​5938) (1260ded)
• missing word in SUPPORT_QUESTION.yml (#​6757) (1f890b1)
• utils: replace getRandomValues with crypto module (#​6788) (23a25af)

Features

• Add config for ignoring absolute URLs (#​5902) (#​6192) (32c7bcc)

Reverts

• Revert "chore: expose fromDataToStream to be consumable (#​6731)" (#​6732) (1317261), closes #​6731 #​6732

BREAKING CHANGES

• code relying on the above will now combine the URLs instead of prefer request URL

• feat: add config option for allowing absolute URLs

• fix: add default value for allowAbsoluteUrls in buildFullPath

• fix: typo in flow control when setting allowAbsoluteUrls

Contributors to this release

• Michael Toscano
• Willian Agostini
• Naron
• shravan || श्रvan
• Justin Dhillon
• yionr
• Shin'ya Ueoka
• Dan Dascalescu
• Nitin Ramnani
• Shay Molcho
• Jay
• fancy45daddy
• Habip Akyol
• Bailey Lissington
• Bernardo da Eira Duarte
• Shivam Batham
• Lipin Kariappa

1.7.9 (2024-12-04)

Reverts

• Revert "fix(types): export CJS types from ESM (#​6218)" (#​6729) (c44d2f2), closes #​6218 #​6729

Contributors to this release

• Jay

1.7.8 (2024-11-25)

Bug Fixes

• allow passing a callback as paramsSerializer to buildURL (#​6680) (eac4619)
• core: fixed config merging bug (#​6668) (5d99fe4)
• fixed width form to not shrink after 'Send Request' button is clicked (#​6644) (7ccd5fd)
• http: add support for File objects as payload in http adapter (#​6588) (#​6605) (6841d8d)
• http: fixed proxy-from-env module import (#​5222) (12b3295)
• http: use globalThis.TextEncoder when available (#​6634) (df956d1)
• ios11 breaks when build (#​6608) (7638952)
• types: add missing types for mergeConfig function (#​6590) (00de614)
• types: export CJS types from ESM (#​6218) (c71811b)
• updated stream aborted error message to be more clear (#​6615) (cc3217a)
• use URL API instead of DOM to fix a potential vulnerability warning; (#​6714) (0a8d6e1)

Contributors to this release

• Remco Haszing
• Jay
• Aayush Yadav
• Dmitriy Mozgovoy
• Ell Bradshaw
• Amit Saini
• Tommaso Paulon
• Akki
• Sampo Silvennoinen
• Kasper Isager Dalsgarð
• Christian Clauss
• Pavan Welihinda
• Taylor Flatt
• Kenzo Wada
• Ngole Lawson
• Haven
• Shrivali Dutt
• Henco Appel

1.7.7 (2024-08-31)

Bug Fixes

• fetch: fix stream handling in Safari by fallback to using a stream reader instead of an async iterator; (#​6584) (d198085)
• http: fixed support for IPv6 literal strings in url (#​5731) (364993f)

Contributors to this release

• Rishi556
• Dmitriy Mozgovoy

1.7.6 (2024-08-30)

Bug Fixes

• fetch: fix content length calculation for FormData payload; (#​6524) (085f568)
• fetch: optimize signals composing logic; (#​6582) (df9889b)

Contributors to this release

• Dmitriy Mozgovoy
• Jacques Germishuys
• kuroino721

1.7.5 (2024-08-23)

Bug Fixes

• adapter: fix undefined reference to hasBrowserEnv (#​6572) (7004707)
• core: add the missed implementation of AxiosError#status property; (#​6573) (6700a8a)
• core: fix ReferenceError: navigator is not defined for custom environments; (#​6567) (fed1a4b)
• fetch: fix credentials handling in Cloudflare workers (#​6533) (550d885)

Contributors to this release

• Dmitriy Mozgovoy
• Antonin Bas
• Hans Otto Wirtz

1.7.4 (2024-08-13)

Bug Fixes

• sec: CVE-2024-39338 (#​6539) (#​6543) (6b6b605)
• sec: disregard protocol-relative URL to remediate SSRF (#​6539) (07a661a)

Contributors to this release

• Lev Pachmanov
• Đỗ Trọng Hải

1.7.3 (2024-08-01)

Bug Fixes

• adapter: fix progress event emitting; (#​6518) (e3c76fc)
• fetch: fix withCredentials request config (#​6505) (85d4d0e)
• xhr: return original config on errors from XHR adapter (#​6515) (8966ee7)

Contributors to this release

• Dmitriy Mozgovoy
• Valerii Sidorenko
• prianYu

1.7.2 (2024-05-21)

Bug Fixes

• fetch: enhance fetch API detection; (#​6413) (4f79aef)

Contributors to this release

• Dmitriy Mozgovoy

1.7.1 (2024-05-20)

Bug Fixes

• fetch: fixed ReferenceError issue when TextEncoder is not available in the environment; (#​6410) (733f15f)

Contributors to this release

• Dmitriy Mozgovoy

v1.7.2

Compare Source

Bug Fixes

• examples: application crashed when navigating examples in browser (#​5938) (1260ded)
• missing word in SUPPORT_QUESTION.yml (#​6757) (1f890b1)
• utils: replace getRandomValues with crypto module (#​6788) (23a25af)

Features

• Add config for ignoring absolute URLs (#​5902) (#​6192) (32c7bcc)

Reverts

• Revert "chore: expose fromDataToStream to be consumable (#​6731)" (#​6732) (1317261), closes #​6731 #​6732

BREAKING CHANGES

• code relying on the above will now combine the URLs instead of prefer request URL

• feat: add config option for allowing absolute URLs

• fix: add default value for allowAbsoluteUrls in buildFullPath

• fix: typo in flow control when setting allowAbsoluteUrls

Contributors to this release

• Michael Toscano
• Willian Agostini
• Naron
• shravan || श्रvan
• Justin Dhillon
• yionr
• Shin'ya Ueoka
• Dan Dascalescu
• Nitin Ramnani
• Shay Molcho
• Jay
• fancy45daddy
• Habip Akyol
• Bailey Lissington
• Bernardo da Eira Duarte
• Shivam Batham
• Lipin Kariappa

1.7.9 (2024-12-04)

Reverts

• Revert "fix(types): export CJS types from ESM (#​6218)" (#​6729) (c44d2f2), closes #​6218 #​6729

Contributors to this release

• Jay

1.7.8 (2024-11-25)

Bug Fixes

• allow passing a callback as paramsSerializer to buildURL (#​6680) (eac4619)
• core: fixed config merging bug (#​6668) (5d99fe4)
• fixed width form to not shrink after 'Send Request' button is clicked (#​6644) (7ccd5fd)
• http: add support for File objects as payload in http adapter (#​6588) (#​6605) (6841d8d)
• http: fixed proxy-from-env module import (#​5222) (12b3295)
• http: use globalThis.TextEncoder when available (#​6634) (df956d1)
• ios11 breaks when build (#​6608) (7638952)
• types: add missing types for mergeConfig function (#​6590) (00de614)
• types: export CJS types from ESM (#​6218) (c71811b)
• updated stream aborted error message to be more clear (#​6615) (cc3217a)
• use URL API instead of DOM to fix a potential vulnerability warning; (#​6714) (0a8d6e1)

Contributors to this release

• Remco Haszing
• Jay
• Aayush Yadav
• Dmitriy Mozgovoy
• Ell Bradshaw
• Amit Saini
• Tommaso Paulon
• Akki
• Sampo Silvennoinen
• Kasper Isager Dalsgarð
• Christian Clauss
• Pavan Welihinda
• Taylor Flatt
• Kenzo Wada
• Ngole Lawson
• Haven
• Shrivali Dutt
• Henco Appel

1.7.7 (2024-08-31)

Bug Fixes

• fetch: fix stream handling in Safari by fallback to using a stream reader instead of an async iterator; (#​6584) (d198085)
• http: fixed support for IPv6 literal strings in url (#​5731) (364993f)

Contributors to this release

• Rishi556
• Dmitriy Mozgovoy

1.7.6 (2024-08-30)

Bug Fixes

• fetch: fix content length calculation for FormData payload; (#​6524) (085f568)
• fetch: optimize signals composing logic; (#​6582) (df9889b)

Contributors to this release

• Dmitriy Mozgovoy
• Jacques Germishuys
• kuroino721

1.7.5 (2024-08-23)

Bug Fixes

• adapter: fix undefined reference to hasBrowserEnv (#​6572) (7004707)
• core: add the missed implementation of AxiosError#status property; (#​6573) (6700a8a)
• core: fix ReferenceError: navigator is not defined for custom environments; (#​6567) (fed1a4b)
• fetch: fix credentials handling in Cloudflare workers (#​6533) (550d885)

Contributors to this release

• Dmitriy Mozgovoy
• Antonin Bas
• Hans Otto Wirtz

1.7.4 (2024-08-13)

Bug Fixes

• sec: CVE-2024-39338 (#​6539) (#​6543) (6b6b605)
• sec: disregard protocol-relative URL to remediate SSRF (#​6539) (07a661a)

Contributors to this release

• Lev Pachmanov
• Đỗ Trọng Hải

1.7.3 (2024-08-01)

Bug Fixes

• adapter: fix progress event emitting; (#​6518) (e3c76fc)
• fetch: fix withCredentials request config (#​6505) (85d4d0e)
• xhr: return original config on errors from XHR adapter (#​6515) (8966ee7)

Contributors to this release

• <img src="https://avatars.githubusercontent.com/u/12586868?

---

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Singapore, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
nusmods-export	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 24, 2025 2:09pm
nusmods-website	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 24, 2025 2:09pm

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 52.75%. Comparing base (988c6fd) to head (ea6c019).
Report is 126 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4033      +/-   ##
==========================================
- Coverage   54.52%   52.75%   -1.78%     
==========================================
  Files         274      287      +13     
  Lines        6076     6659     +583     
  Branches     1455     1628     +173     
==========================================
+ Hits         3313     3513     +200     
- Misses       2763     3146     +383     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.