fix(deps): override axios to >=1.15.0 to resolve SSRF vulnerability

Adds pnpm.overrides to force axios >=1.15.0 across all transitive
dependencies. This resolves the critical SSRF vulnerability
(GHSA-3p68-rc4w-qgx5) where axios <1.15.0 had a NO_PROXY hostname
normalization bypass.

The vulnerable axios@1.13.5 was pulled in transitively through
composio-core@0.5.39 > axios and composio-core > @hey-api/client-axios
> axios.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
fireddd 2026-04-10 02:34:27 +05:30
parent 4c906a5207
commit ef6e83c288
2 changed files with 21 additions and 12 deletions

View File

@ -35,5 +35,10 @@
"husky": "^9.1.7",
"prettier": "^3.8.1",
"typescript-eslint": "^8.55.0"
},
"pnpm": {
"overrides": {
"axios": ">=1.15.0"
}
}
}

View File

@ -4,6 +4,9 @@ settings:
autoInstallPeers: true
excludeLinksFromLockfile: false
overrides:
axios: '>=1.15.0'
importers:
.:
@ -1262,7 +1265,7 @@ packages:
resolution: {integrity: sha512-lBehVhbnhvm41cFguZuy1FO+4x8NO3Qy/ooL0Jw4bdqTu21n7DmZMPsXEF0gL7/gNdTt4QkJGwaojy+8ExtE8w==}
deprecated: Starting with v0.73.0, this package is bundled directly inside @hey-api/openapi-ts.
peerDependencies:
axios: '>= 1.0.0 < 2'
axios: '>=1.15.0'
'@humanfs/core@0.19.1':
resolution: {integrity: sha512-5DyQ4+1JEUzejeK1JGICcideyfUbGixgS9jNgex5nqkW+cY7WZhxBigmieN5Qnw9ZosSNVC9KQKyb+GUaGyKUA==}
@ -2229,8 +2232,8 @@ packages:
asynckit@0.4.0:
resolution: {integrity: sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==}
axios@1.13.5:
resolution: {integrity: sha512-cz4ur7Vb0xS4/KUN0tPWe44eqxrIu31me+fbang3ijiNscE129POzipJJA6zniq2C/Z6sJCjMimjS8Lc/GAs8Q==}
axios@1.15.0:
resolution: {integrity: sha512-wWyJDlAatxk30ZJer+GeCWS209sA42X+N5jU2jy6oHTp7ufw8uzUTVFBX9+wTfAlhiJXGS0Bq7X6efruWjuK9Q==}
balanced-match@1.0.2:
resolution: {integrity: sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==}
@ -3501,8 +3504,9 @@ packages:
resolution: {integrity: sha512-y+WKFlBR8BGXnsNlIHFGPZmyDf3DFMoLhaflAnyZgV6rG6xu+JwesTo2Q9R6XwYmtmwAFCkAk3e35jEdoeh/3g==}
engines: {node: '>=10'}
proxy-from-env@1.1.0:
resolution: {integrity: sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==}
proxy-from-env@2.1.0:
resolution: {integrity: sha512-cJ+oHTW1VAEa8cJslgmUZrc+sjRKgAKl3Zyse6+PV38hZe/V6Z14TbCuXcan9F9ghlz4QrFr2c92TNF82UkYHA==}
engines: {node: '>=10'}
punycode@2.3.1:
resolution: {integrity: sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==}
@ -4740,9 +4744,9 @@ snapshots:
'@eslint/core': 1.1.0
levn: 0.4.1
'@hey-api/client-axios@0.2.12(axios@1.13.5)':
'@hey-api/client-axios@0.2.12(axios@1.15.0)':
dependencies:
axios: 1.13.5
axios: 1.15.0
'@humanfs/core@0.19.1': {}
@ -5734,11 +5738,11 @@ snapshots:
asynckit@0.4.0: {}
axios@1.13.5:
axios@1.15.0:
dependencies:
follow-redirects: 1.15.11
form-data: 4.0.5
proxy-from-env: 1.1.0
proxy-from-env: 2.1.0
transitivePeerDependencies:
- debug
@ -5869,11 +5873,11 @@ snapshots:
'@ai-sdk/openai': 3.0.29(zod@3.25.76)
'@cloudflare/workers-types': 4.20260214.0
'@composio/mcp': 1.0.3-0
'@hey-api/client-axios': 0.2.12(axios@1.13.5)
'@hey-api/client-axios': 0.2.12(axios@1.15.0)
'@langchain/core': 1.1.24(@opentelemetry/api@1.9.0)(openai@6.22.0(ws@8.19.0)(zod@3.25.76))
'@langchain/openai': 1.2.7(@langchain/core@1.1.24(@opentelemetry/api@1.9.0)(openai@6.22.0(ws@8.19.0)(zod@3.25.76)))(ws@8.19.0)
ai: 6.0.86(zod@3.25.76)
axios: 1.13.5
axios: 1.15.0
chalk: 4.1.2
cli-progress: 3.12.0
commander: 12.1.0
@ -6994,7 +6998,7 @@ snapshots:
err-code: 2.0.3
retry: 0.12.0
proxy-from-env@1.1.0: {}
proxy-from-env@2.1.0: {}
punycode@2.3.1: {}