fix(deps): vuln axios (minor → 1.17.0) [integration_tests]

[gh-worker-campaigns-3e9aa4]

Summary: High-severity security update — 1 package upgraded (MINOR changes included)

Manifests changed:

• integration_tests (yarn)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
axios	1.1.3	1.17.0	minor	Direct	16 HIGH, 13 MEDIUM, 1 LOW

---

Security Details

🚨 Critical & High Severity (16 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
axios	CVE-2025-58754	HIGH	Axios is vulnerable to DoS attack through lack of data size check	1.1.3	-
axios	GHSA-4hjh-wcwx-xvwj	HIGH	Axios is vulnerable to DoS attack through lack of data size check	1.1.3	1.12.0
axios	GHSA-pmwg-cvhr-8vh7	HIGH	Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0	1.1.3	1.15.1
axios	GHSA-p92q-9vqr-4j8v	HIGH	Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter	1.1.3	1.16.0
axios	GHSA-3g43-6gmg-66jw	HIGH	axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge	1.1.3	1.15.2
axios	GHSA-35jp-ww65-95wh	HIGH	axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy	1.1.3	1.16.0
axios	GHSA-6chq-wfr3-2hj9	HIGH	Axios: Header Injection via Prototype Pollution	1.1.3	1.15.1
axios	GHSA-jr5f-v2jv-69x6	HIGH	axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL	1.1.3	1.8.2
axios	CVE-2025-27152	HIGH	Possible SSRF and Credential Leakage via Absolute URL in axios Requests	1.1.3	-
axios	GHSA-pjwm-pj3p-43mv	HIGH	axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)	1.1.3	1.16.0
axios	GHSA-q8qp-cvcw-x6jj	HIGH	Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking	1.1.3	1.15.2
axios	CVE-2026-25639	HIGH	Axios affected by Denial of Service via proto Key in mergeConfig	1.1.3	-
axios	GHSA-43fc-jf86-j433	HIGH	Axios is Vulnerable to Denial of Service via proto Key in mergeConfig	1.1.3	1.13.5
axios	GHSA-hfxv-24rg-xrqf	HIGH	Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection	1.1.3	1.16.0
axios	GHSA-pf86-5x62-jrwf	HIGH	Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking	1.1.3	1.15.1
axios	GHSA-j5f8-grm9-p9fc	HIGH	Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection	1.1.3	1.16.0

ℹ️ Other Vulnerabilities (14)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
axios	GHSA-898c-q2cr-xwhg	MODERATE	axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions	1.1.3	1.16.0
axios	GHSA-5c9x-8gcm-mpgx	MODERATE	Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0	1.1.3	1.15.1
axios	GHSA-m7pr-hjqh-92cm	MODERATE	Axios: no_proxy bypass via IP alias allows SSRF	1.1.3	1.15.1
axios	GHSA-xx6v-rp6x-q39c	MODERATE	Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion	1.1.3	1.15.1
axios	GHSA-3p68-rc4w-qgx5	MODERATE	Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF	1.1.3	1.15.0
axios	GHSA-vf2m-468p-8v99	MODERATE	Axios: HTTP adapter streamed responses bypass maxContentLength	1.1.3	1.15.1
axios	CVE-2023-45857	MODERATE	-	1.1.3	-
axios	GHSA-wf5p-g6vw-rhxx	MODERATE	Axios Cross-Site Request Forgery Vulnerability	1.1.3	1.6.0
axios	GHSA-62hf-57xw-28j9	MODERATE	Axios: unbounded recursion in toFormData causes DoS via deeply nested request data	1.1.3	1.15.1
axios	GHSA-fvcv-3m26-pcqx	MODERATE	Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain	1.1.3	1.15.0
axios	GHSA-w9j2-pvgh-6h63	MODERATE	Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy	1.1.3	1.15.1
axios	GHSA-445q-vr5w-6q77	MODERATE	Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream	1.1.3	1.15.1
axios	GHSA-3w6x-2g7m-8v23	MODERATE	Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver	1.1.3	1.15.2
axios	GHSA-xhjh-pmcv-23jw	LOW	Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams	1.1.3	1.15.1

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

[datadog-datadog-prod-us1]

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 2 Pipeline jobs failed

DataDog/datadog-lambda-js | e2e-test-status     

build | unit-test (22.11)     

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: c0826ff | Docs | Datadog PR Page | Give us feedback!}