chore: bump axios 16.1

[tommasini]

Description

Fix audit issue: GHSA-35jp-ww65-95wh

Changelog

CHANGELOG entry:

Related issues

Fixes:

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Performance checks (if applicable)

• I've tested on Android
  • Ideally on a mid-range device; emulator is acceptable
• I've tested with a power user scenario
  • Use these power-user SRPs to import wallets with many accounts and tokens
• I've instrumented key operations with Sentry traces for production performance metrics
  • See trace() for usage and addToken for an example

For performance guidelines and tooling, see the Performance Guide.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Low Risk
Dependency-only security patch with no app code changes; standard patch-level HTTP client upgrade.

Overview
Bumps axios from ^1.15.x to ^1.16.0 in package.json (direct dependency and Yarn resolutions) and refreshes yarn.lock so the tree resolves to axios 1.16.1, addressing advisory GHSA-35jp-ww65-95wh.

The lockfile also picks up follow-redirects 1.16.0 and axios’s updated transitive deps (e.g. https-proxy-agent). No application source changes.

^{Reviewed by Cursor Bugbot for commit e4f36bb. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: SmokeMoney, SmokeNetworkAbstractions
• Selected Performance tags: None (no tests recommended)
• Risk Level: low
• AI Confidence: 82%

click to see 🤖 AI reasoning details

E2E Test Selection:
The PR contains only two changed files: package.json and yarn.lock, both reflecting a minor version bump of the axios HTTP client library from 1.15.x to 1.16.x (specifically 1.15.2 → 1.16.1). The transitive dependency follow-redirects was also bumped from 1.15.11 → 1.16.0, and a new https-proxy-agent dependency was added internally to axios 1.16.x.

No application code was changed — this is purely a dependency update.

Axios is used in the following areas of the app:

1. Card controller (app/core/Engine/controllers/card-controller/services/BaanxService.ts) — used for Card API calls → SmokeMoney
2. Ramp/Deposit hooks (app/components/UI/Ramp/Deposit/hooks/) — used for deposit routing and user flows → SmokeMoney
3. Network checker (app/core/RPCMethods/networkChecker.util.ts) — used for RPC network validation → SmokeNetworkAbstractions
4. Test utilities (app/util/test/, tests/framework/, tests/performance/) — test infrastructure only, not production flows

Since this is a minor version bump (semver-compatible), the risk of behavioral regression is low. However, to validate that the HTTP client still works correctly in the most affected user-facing flows (Card/Ramp and network checking), SmokeMoney and SmokeNetworkAbstractions are selected as targeted coverage. No performance tests are needed as this is a library version bump with no UI or rendering changes.

Performance Test Selection:
This is a minor version bump of the axios HTTP client library with no UI, rendering, state management, or initialization changes. There is no expected performance impact from this dependency update, so no performance tests are needed.

View GitHub Actions results