chore(deps): fix axios security vulnerability

[gauthier-th]

Description

Patch CVE-2026-40175: Unrestricted Cloud Metadata Exfiltration via Header Injection Chain

How Has This Been Tested?

N/A

Checklist:

• I have read and followed the contribution guidelines.
• Disclosed any use of AI (see our policy)
• I have updated the documentation accordingly.
• All new and existing tests passed.
• Successful build pnpm build
• Translation keys pnpm i18n:extract
• Database migration (if required)

Summary by CodeRabbit

• Chores
  • Updated core dependencies to latest stable versions for improved application reliability and security.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 91d86d94-d06e-4dce-8008-d39720dec2b8

📥 Commits

Reviewing files that changed from the base of the PR and between a133930 and 5d32bcc.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• package.json
• server/lib/imageproxy.ts

---

📝 Walkthrough

Walkthrough

Updated runtime dependencies in package.json with new versions of axios and axios-rate-limit. Added TypeScript type annotation to the axios property in the ImageProxy class for improved type safety, with no runtime behavior changes.

Changes

Cohort / File(s)	Summary
Dependency Updates package.json	Bumped axios from 1.13.3 to 1.15.0 and axios-rate-limit from 1.4.0 to 1.9.0.
Type Safety server/lib/imageproxy.ts	Added AxiosInstance type annotation to the private axios field for compile-time type checking.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 Dependencies dance, so fresh and new,
Axios springs to version two-point-oh-true!
Type annotations make our code so bright,
Not a single runtime change in sight.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore(deps): fix axios security vulnerability' directly and clearly relates to the main change: upgrading axios from 1.13.3 to 1.15.0 to address CVE-2026-40175, which is the primary objective of this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cypress]

seerr    Run #3341

Run Properties:   Passed #3341  •  9c4c674dc9: chore(deps): fix axios security vulnerability (#2872)

Project	seerr
Branch Review	develop
Run status	Passed #3341
Run duration	02m 27s
Commit	9c4c674dc9: chore(deps): fix axios security vulnerability (#2872)
Committer	Gauthier
View all properties for this run ↗︎

---

Test results
Failures	0
Flaky	0
Pending	0
Skipped	0
Passing	32
View all changes introduced in this branch ↗︎