fix: bump axios to 1.15.0 to resolve critical SSRF vulnerability

[weitingsun]

Description

CI is failing on yarn audit:ci due to a critical severity advisory (GHSA-3p68-rc4w-qgx5) in axios < 1.15.0. The vulnerability allows an attacker to bypass NO_PROXY hostname normalization, leading to SSRF.

This PR bumps axios from 1.13.5 to 1.15.0 across dependencies, resolutions, and the CI scripts package. Because 1.15.0 was published less than 3 days ago, it is also temporarily added to npmPreapprovedPackages in .yarnrc.yml to bypass the npmMinimalAgeGate. This preapproval entry should be removed after 2025-04-12.

Changelog

CHANGELOG entry: null

Related issues

Fixes:

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Medium Risk
Updates a widely used HTTP client to remediate a critical SSRF advisory; moderate risk due to potential subtle networking/proxy behavior changes across the app and CI scripts.

Overview
Bumps axios from ^1.13.5 to ^1.15.0 across the repo (app dependencies, resolutions, and the .github/scripts workspace) to address the flagged security advisory.

Updates both lockfiles to the new axios and its transitive proxy-from-env@^2.1.0, and temporarily adds axios to .yarnrc.yml npmPreapprovedPackages to bypass the 3-day npmMinimalAgeGate for this release.

^{Reviewed by Cursor Bugbot for commit 34350ca. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[github-actions]

🔍 Smart E2E Test Selection

⏭️ Smart E2E selection skipped - draft PR

All E2E tests pre-selected.

View GitHub Actions results

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[joaoloureirop]

lgtm

[github-actions]

✅ E2E Fixture Validation — Schema is up to date
17 value mismatches detected (expected — fixture represents an existing user).
View details