From 38798b96f634f95f304e31b436b7ed26e2903486 Mon Sep 17 00:00:00 2001
From: Avinash Bharti <90600575+avinash-bharti@users.noreply.github.com>
Date: Thu, 16 Apr 2026 19:13:15 +0530
Subject: [PATCH] fix(security): update axios to ^1.15.0 to fix SSRF via
 NO_PROXY bypass [APS-18718]

- Bump axios from ^1.7.7 to ^1.15.0
- Fixes CVE-2025-62718 / GHSA-3p68-rc4w-qgx5
- Axios did not normalize hostnames when checking NO_PROXY rules,
  allowing requests to loopback addresses (localhost., [::1]) to
  bypass NO_PROXY and go through the configured proxy (SSRF risk)

Resolves: APS-18718
---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 12375a19..ba81a8ae 100644
--- a/package.json
+++ b/package.json
@@ -14,7 +14,7 @@
   "dependencies": {
     "archiver": "5.3.0",
     "async": "3.2.3",
-    "axios": "^1.7.7",
+    "axios": "^1.15.0",
     "axios-retry": "^3.5.0",
     "browserstack-local": "^1.5.12",
     "chalk": "4.1.2",