fix(deps): vuln axios (minor → 1.16.0)

[gh-worker-campaigns-3e9aa4]

Summary: High-severity security update — 1 package upgraded (MINOR changes included)

Manifests changed:

• . (yarn)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
axios	1.13.6	1.16.0	minor	Direct	4 HIGH, 10 MODERATE, 1 LOW

---

Security Details

🚨 Critical & High Severity (4 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
axios	GHSA-6chq-wfr3-2hj9	HIGH	Axios: Header Injection via Prototype Pollution	1.13.6	1.15.1
axios	GHSA-pf86-5x62-jrwf	HIGH	Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking	1.13.6	1.15.1
axios	GHSA-pmwg-cvhr-8vh7	HIGH	Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0	1.13.6	1.15.1
axios	GHSA-q8qp-cvcw-x6jj	HIGH	Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking	1.13.6	1.15.2

ℹ️ Other Vulnerabilities (11)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
axios	GHSA-w9j2-pvgh-6h63	MODERATE	Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy	1.13.6	1.15.1
axios	GHSA-445q-vr5w-6q77	MODERATE	Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream	1.13.6	1.15.1
axios	GHSA-fvcv-3m26-pcqx	MODERATE	Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain	1.13.6	1.15.0
axios	GHSA-62hf-57xw-28j9	MODERATE	Axios: unbounded recursion in toFormData causes DoS via deeply nested request data	1.13.6	1.15.1
axios	GHSA-vf2m-468p-8v99	MODERATE	Axios: HTTP adapter streamed responses bypass maxContentLength	1.13.6	1.15.1
axios	GHSA-5c9x-8gcm-mpgx	MODERATE	Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0	1.13.6	1.15.1
axios	GHSA-m7pr-hjqh-92cm	MODERATE	Axios: no_proxy bypass via IP alias allows SSRF	1.13.6	1.15.1
axios	GHSA-3p68-rc4w-qgx5	MODERATE	Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF	1.13.6	1.15.0
axios	GHSA-xx6v-rp6x-q39c	MODERATE	Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion	1.13.6	1.15.1
axios	GHSA-3w6x-2g7m-8v23	MODERATE	Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver	1.13.6	1.15.2
axios	GHSA-xhjh-pmcv-23jw	LOW	Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams	1.13.6	1.15.1

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

[gh-worker-campaigns-3e9aa4]

Auto-rebase failed

Lockfile regeneration failed during rebase onto main. Your branch was not updated. You may need to rebase and regenerate lockfiles manually.

Error details

• Custom Action: registry.ddbuild.io/images/engraver-custom-action:update-yarn-lockfile ❌ (0.00s) - container exited with non-zero status code: 1:

Error Logs (last 30 lines)

�!Sourcing Yarn Switch environment
��Starting classic install
��yarn install v1.22.22
��[1/4] Resolving packages...
���warning @datadog/datadog-ci > @datadog/datadog-ci-plugin-gate > uuid@9.0.1: uuid@10 and below is no longer supported.  For ESM codebases, update to uuid@latest.  For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028).
���warning @datadog/datadog-ci > @datadog/datadog-ci-plugin-junit > uuid@9.0.1: uuid@10 and below is no longer supported.  For ESM codebases, update to uuid@latest.  For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028).
���warning @datadog/datadog-ci > @datadog/datadog-ci-plugin-sarif > uuid@9.0.1: uuid@10 and below is no longer supported.  For ESM codebases, update to uuid@latest.  For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028).
��+warning jest > @jest/core > jest-config > glob@10.5.0: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
��,warning jest > @jest/core > jest-runtime > glob@10.5.0: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
��/warning jest > @jest/core > @jest/reporters > glob@10.5.0: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
��Uwarning jest > @jest/core > @jest/transform > babel-plugin-istanbul > test-exclude > glob@7.2.3: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
��;warning jest > @jest/core > @jest/transform > babel-plugin-istanbul > test-exclude > glob > inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
��[2/4] Fetching packages...
�Kinfo There appears to be trouble with your network connection. Retrying...
�Kinfo There appears to be trouble with your network connection. Retrying...
�Kinfo There appears to be trouble with your network connection. Retrying...
�Kinfo There appears to be trouble with your network connection. Retrying...
�Yinfo Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
��error Error: aborted
�@    at TLSSocket.socketCloseListener (node:_http_client:534:19)
�+    at TLSSocket.emit (node:events:531:35)
��    at node:net:346:12
�*    at Socket.done (node:_tls_wrap:667:7)
�/    at Object.onceWrapper (node:events:634:26)
�(    at Socket.emit (node:events:531:35)
�)    at TCP.<anonymous> (node:net:346:12)
�Kinfo There appears to be trouble with your network connection. Retrying...
��Restoring package.json...
��package.json restored

---

_{Auto-Rebase · Add no-auto-rebase to opt out}