erezrokah / aws-testing-library / 18267202286
100%
master: 100%

LAST BUILD BRANCH: renovate/major-commitlint-monorepo
DEFAULT BRANCH: master
Ran
Jobs 6
Files 34
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 99.726%. Remained the same
18267202286

push

github

web-flow 
chore(deps): update dependency axios to v0.30.2 [security] (#941)

> [!NOTE]
> Mend has cancelled [the proposed
renaming](https://redirect.github.com/renovatebot/renovate/discussions/37842)
of the Renovate GitHub app being renamed to `mend[bot]`.
> 
> This notice will be removed on 2025-10-07.

<hr>

This PR contains the following updates:

| Package | Change | Age | Confidence |
|---|---|---|---|
| [axios](https://axios-http.com)
([source](https://redirect.github.com/axios/axios)) | [`0.30.0` ->
`0.30.2`](https://renovatebot.com/diffs/npm/axios/0.30.0/0.30.2) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/axios/0.30.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/axios/0.30.0/0.30.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2025-58754](https://redirect.github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj)

## Summary

When Axios runs on Node.js and is given a URL with the `data:` scheme,
it does not perform HTTP. Instead, its Node http adapter decodes the
entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200
response.
This path ignores `maxContentLength` / `maxBodyLength` (which only
protect HTTP responses), so an attacker can supply a very large `data:`
URI and cause the process to allocate unbounded memory and crash (DoS),
even if the caller requested `responseType: 'stream'`.

## Details

The Node adapter (`lib/adapters/http.js`) supports the `data:` scheme.
When `axios` encounters a request whose URL starts with `data:`, it does
not perform an HTTP request. Instead, it calls `fromDataURI()` to decode
the Base64 payload into a Buffer or Blob.

Relevant code from
[`[httpAdapter](https://redirect.github.com/axios/axios/blob/c959ff290/lib/adapters/http.js#L231)`](https://redirect.github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea... (continued)

122 of 124 branches covered (98.39%)

Branch coverage included in aggregate %.

606 of 606 relevant lines covered (100.0%)

27.85 hits per line

Jobs
ID Job ID Ran Files Coverage
1 run-windows-latest-node-16.10.0 - 18267202286.1 34
99.73
 GitHub Action Run
2 run-macos-latest-node-lts/* - 18267202286.2 34
99.73
 GitHub Action Run
3 run-macos-latest-node-16.10.0 - 18267202286.3 34
99.73
 GitHub Action Run
4 run-ubuntu-latest-node-16.10.0 - 18267202286.4 34
99.73
 GitHub Action Run
5 run-ubuntu-latest-node-lts/* - 18267202286.5 34
99.73
 GitHub Action Run
6 run-windows-latest-node-lts/* - 18267202286.6 34
99.73
 GitHub Action Run
Source Files on build 18267202286