From 1571902bb94e08279fe7192fa801c2a987c0bfb8 Mon Sep 17 00:00:00 2001 From: fireddd Date: Fri, 10 Apr 2026 02:30:34 +0530 Subject: [PATCH] fix(deps): override axios to >=1.15.0 to resolve SSRF vulnerability (GHSA-3p68-rc4w-qgx5) Co-Authored-By: Claude Opus 4.6 --- package.json | 5 +++++ pnpm-lock.yaml | 28 ++++++++++++++++------------ 2 files changed, 21 insertions(+), 12 deletions(-) diff --git a/package.json b/package.json index 356a846b8..3f26f3353 100644 --- a/package.json +++ b/package.json @@ -26,6 +26,11 @@ "prepare": "husky", "postinstall": "node scripts/rebuild-node-pty.js" }, + "pnpm": { + "overrides": { + "axios": ">=1.15.0" + } + }, "devDependencies": { "@changesets/cli": "^2.29.8", "@eslint/js": "^10.0.1", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index e565f81f5..5be730834 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -4,6 +4,9 @@ settings: autoInstallPeers: true excludeLinksFromLockfile: false +overrides: + axios: '>=1.15.0' + importers: .: @@ -1265,7 +1268,7 @@ packages: resolution: {integrity: sha512-lBehVhbnhvm41cFguZuy1FO+4x8NO3Qy/ooL0Jw4bdqTu21n7DmZMPsXEF0gL7/gNdTt4QkJGwaojy+8ExtE8w==} deprecated: Starting with v0.73.0, this package is bundled directly inside @hey-api/openapi-ts. peerDependencies: - axios: '>= 1.0.0 < 2' + axios: '>=1.15.0' '@humanfs/core@0.19.1': resolution: {integrity: sha512-5DyQ4+1JEUzejeK1JGICcideyfUbGixgS9jNgex5nqkW+cY7WZhxBigmieN5Qnw9ZosSNVC9KQKyb+GUaGyKUA==} @@ -2232,8 +2235,8 @@ packages: asynckit@0.4.0: resolution: {integrity: sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==} - axios@1.13.5: - resolution: {integrity: sha512-cz4ur7Vb0xS4/KUN0tPWe44eqxrIu31me+fbang3ijiNscE129POzipJJA6zniq2C/Z6sJCjMimjS8Lc/GAs8Q==} + axios@1.15.0: + resolution: {integrity: sha512-wWyJDlAatxk30ZJer+GeCWS209sA42X+N5jU2jy6oHTp7ufw8uzUTVFBX9+wTfAlhiJXGS0Bq7X6efruWjuK9Q==} balanced-match@1.0.2: resolution: {integrity: sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==} @@ -3504,8 +3507,9 @@ packages: resolution: {integrity: sha512-y+WKFlBR8BGXnsNlIHFGPZmyDf3DFMoLhaflAnyZgV6rG6xu+JwesTo2Q9R6XwYmtmwAFCkAk3e35jEdoeh/3g==} engines: {node: '>=10'} - proxy-from-env@1.1.0: - resolution: {integrity: sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==} + proxy-from-env@2.1.0: + resolution: {integrity: sha512-cJ+oHTW1VAEa8cJslgmUZrc+sjRKgAKl3Zyse6+PV38hZe/V6Z14TbCuXcan9F9ghlz4QrFr2c92TNF82UkYHA==} + engines: {node: '>=10'} punycode@2.3.1: resolution: {integrity: sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==} @@ -4743,9 +4747,9 @@ snapshots: '@eslint/core': 1.1.0 levn: 0.4.1 - '@hey-api/client-axios@0.2.12(axios@1.13.5)': + '@hey-api/client-axios@0.2.12(axios@1.15.0)': dependencies: - axios: 1.13.5 + axios: 1.15.0 '@humanfs/core@0.19.1': {} @@ -5737,11 +5741,11 @@ snapshots: asynckit@0.4.0: {} - axios@1.13.5: + axios@1.15.0: dependencies: follow-redirects: 1.15.11 form-data: 4.0.5 - proxy-from-env: 1.1.0 + proxy-from-env: 2.1.0 transitivePeerDependencies: - debug @@ -5872,11 +5876,11 @@ snapshots: '@ai-sdk/openai': 3.0.29(zod@3.25.76) '@cloudflare/workers-types': 4.20260214.0 '@composio/mcp': 1.0.3-0 - '@hey-api/client-axios': 0.2.12(axios@1.13.5) + '@hey-api/client-axios': 0.2.12(axios@1.15.0) '@langchain/core': 1.1.24(@opentelemetry/api@1.9.0)(openai@6.22.0(ws@8.19.0)(zod@3.25.76)) '@langchain/openai': 1.2.7(@langchain/core@1.1.24(@opentelemetry/api@1.9.0)(openai@6.22.0(ws@8.19.0)(zod@3.25.76)))(ws@8.19.0) ai: 6.0.86(zod@3.25.76) - axios: 1.13.5 + axios: 1.15.0 chalk: 4.1.2 cli-progress: 3.12.0 commander: 12.1.0 @@ -6997,7 +7001,7 @@ snapshots: err-code: 2.0.3 retry: 0.12.0 - proxy-from-env@1.1.0: {} + proxy-from-env@2.1.0: {} punycode@2.3.1: {}