Update dependencies to fix multiple critical/high vulnerabilities

[pjanczyk]

Bump axios (from 0.27.0 to 0.32.0) and multiple transitive dependencies to address the following vulnerabilities reported by Trivy container image scanner:

CVE	Package	Severity
CVE-2025-7783	form-data	CRITICAL
CVE-2025-27152	axios	HIGH
CVE-2026-25639	axios	HIGH
CVE-2026-42033	axios	HIGH
CVE-2026-42035	axios	HIGH
CVE-2026-42043	axios	HIGH
CVE-2025-65945	jws	HIGH
CVE-2026-4800	lodash	HIGH
CVE-2026-26996	minimatch	HIGH
CVE-2026-27903	minimatch	HIGH
CVE-2026-27904	minimatch	HIGH
CVE-2026-4867	path-to-regexp	HIGH
CVE-2026-30951	sequelize	HIGH
CVE-2025-12758	validator	HIGH
CVE-2023-45857	axios	MEDIUM
CVE-2025-62718	axios	MEDIUM
CVE-2026-40175	axios	MEDIUM
CVE-2026-42034	axios	MEDIUM
CVE-2026-42036	axios	MEDIUM
CVE-2026-42038	axios	MEDIUM
CVE-2026-42039	axios	MEDIUM
CVE-2026-42041	axios	MEDIUM
CVE-2026-42042	axios	MEDIUM
CVE-2026-27837	dottie	MEDIUM
GHSA-r4q5-vmmm-2653	follow-redirects	MEDIUM
CVE-2025-13465	lodash	MEDIUM
CVE-2026-2950	lodash	MEDIUM
CVE-2025-15284	qs	MEDIUM
CVE-2025-56200	validator	MEDIUM
CVE-2026-42040	axios	LOW
CVE-2025-5889	brace-expansion	LOW
CVE-2026-2391	qs	LOW

npm run test and npm run test:in-memory are passing locally.

Resolves #2641.

---

Thanks for contribution! Please go through following checklist before sending PR.

PR Branch Destination

• For Azurite V3, please send PR to main branch.
• For legacy Azurite V2, please send PR to legacy-dev branch.

Always Add Test Cases

Make sure test cases are added to cover the code change.

Add Change Log

Add change log for the code change in Upcoming Release section in ChangeLog.md.

Development Guideline

Please go to CONTRIBUTION.md for steps about setting up development environment and recommended Visual Studio Code extensions.

[pjanczyk]

etag was string in axios@0.27.0, but in 0.32.0 the type was changed to string | undefined

[pjanczyk]

These headers don't look correct — axios doesn't support nested objects as headers.

axios@0.27.0 stringified it as options: [object Object]
axios@0.32.0 throws an error

I updated them to match other test cases.

[Copilot]

Pull request overview

This PR updates axios and several transitive npm dependencies to remediate multiple Trivy-reported CVEs, and adjusts table REST tests to match the updated HTTP client behavior.

Changes:

• Bump axios to 0.32.0 and add npm overrides to force secure transitive versions (notably form-data).
• Refresh package-lock.json to reflect the updated dependency graph.
• Update table REST tests’ request headers/ETag handling to stay compatible with the upgraded dependencies.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 1 comment.

File	Description
tests/table/apis/table.entity.rest.test.ts	Updates batch-request headers and tweaks ETag extraction logic in REST tests.
package.json	Pins axios to 0.32.0 and adds npm overrides for vulnerable transitives.
package-lock.json	Large dependency graph update reflecting upgraded direct/transitive packages.
ChangeLog.md	Adds an entry documenting the dependency/vulnerability updates.

Comments suppressed due to low confidence (1)

tests/table/apis/table.entity.rest.test.ts:836

• Defaulting newEtag to "" when the response ETag header is missing can cause later If-Match test cases (where "new" is substituted) to pass/fail for the wrong reason. Prefer asserting the ETag header is present on success responses before updating newEtag.

        );
        if (testCase.expectSuccess) {
          newEtag = testCaseRequestResult.headers.etag ?? "";
        }

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[pjanczyk]

@microsoft-github-policy-service agree