chore(deps): update dependency follow-redirects@<1.15.4 to >=1.16.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
follow-redirects@<1.15.4	>=1.15.11 → >=1.16.0

---

follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets

GHSA-r4q5-vmmm-2653

More information

Details

Summary

When an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js:469-476). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target.

Since follow-redirects is the redirect-handling dependency for axios (105K+ stars), this vulnerability affects the entire axios ecosystem.

Affected Code

index.js, lines 469-476:

if (redirectUrl.protocol !== currentUrlParts.protocol &&
   redirectUrl.protocol !== "https:" ||
   redirectUrl.host !== currentHost &&
   !isSubdomain(redirectUrl.host, currentHost)) {
  removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i, this._options.headers);
}

The regex only matches authorization, proxy-authorization, and cookie. Custom headers like X-API-Key are not matched.

Attack Scenario

1. App uses axios with custom auth header: headers: { 'X-API-Key': 'sk-live-secret123' }
2. Server returns 302 Location: https://evil.com/steal
3. follow-redirects sends X-API-Key: sk-live-secret123 to evil.com
4. Attacker captures the API key

Impact

Any custom auth header set via axios leaks on cross-domain redirect. Extremely common pattern. Affects all axios users in Node.js.

Suggested Fix

Add a sensitiveHeaders option that users can extend, or strip ALL non-standard headers on cross-domain redirect.

Disclosure

Source code review, manually verified. Found 2026-03-20.

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-r4q5-vmmm-2653
• https://github.com/follow-redirects/follow-redirects/commit/844c4d302ac963d29bdb5dc1754ec7df3d70d7f9
• https://github.com/advisories/GHSA-r4q5-vmmm-2653

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

follow-redirects/follow-redirects (follow-redirects@<1.15.4)

v1.16.0

Compare Source

---

Configuration

📅 Schedule: (in timezone Asia/Tokyo)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 12 workspace projects
 ERR_PNPM_INVALID_MINIMUM_RELEASE_AGE_EXCLUDE  Invalid value in minimumReleaseAgeExclude: Invalid versions union. Found: "follow-redirects@<1.15.4@1.16.0". Use exact versions only.