You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
<!--
Please submit this PR as a draft initially.
Do not mark it as "Ready for review" until the template has been
completely filled out, and PR status checks have passed at least once.
-->
## **Description**
**Reason for change:** `yarn audit:ci` was failing due to a
high-severity vulnerability in `axios` (GHSA-43fc-jf86-j433): Denial of
Service via the `__proto__` key in `mergeConfig`. Affected versions are
≤1.13.4; the project was on 1.12.2.
**Solution:**
- Bumped axios resolutions to `^1.13.5` in root `package.json` (both
resolution entries) and in `.github/scripts/package.json`.
- Added `axios` to `npmPreapprovedPackages` in `.yarnrc.yml` so Yarn’s
3-day minimal age gate allows the new release.
- Ran `yarn install --no-immutable` to update the lockfile to axios
1.13.5.
No code changes; dependency upgrade only. `yarn audit:ci` now passes.
## **Changelog**
CHANGELOG entry: null
## **Related issues**
Fixes: N/A
## **Manual testing steps**
```gherkin
Feature: Security audit and dependency usage after axios upgrade
Scenario: CI audit passes after axios upgrade
Given the repo has axios resolved to 1.13.5
When I run yarn audit:ci
Then the command exits with code 0 and reports no audit suggestions
Scenario: App and scripts still run with upgraded axios
Given the branch is checked out and dependencies are installed
When I run yarn install and then run any flow that uses axios (e.g. scripts or app network calls)
Then no runtime errors occur and behavior is unchanged
```
## **Screenshots/Recordings**
Not applicable (dependency-only change; no UI changes).
### **Before**
N/A
### **After**
N/A
## **Pre-merge author checklist**
- [x] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile
Coding
Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md).
- [x] I've completed the PR template to the best of my ability
- [x] I've included tests if applicable
- [x] I've documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [x] I've applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.
## **Pre-merge reviewer checklist**
- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [x] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Dependency upgrade plus bundler resolution changes could affect
runtime networking behavior or Metro module resolution, especially if
any code relied on Axios’ Node build.
>
> **Overview**
> Bumps `axios` to `^1.13.5` (and updates both root `yarn.lock` and
`.github/scripts/yarn.lock`) to address the reported security advisory.
>
> Updates `metro.config.js` resolver logic to always redirect `axios`
(and `axios/dist/node/*`) imports to `axios/dist/browser/axios.cjs`,
while preserving the existing E2E-only Sentry module mocking behavior
under the new unified `resolveRequest` handler.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
520829a. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
---------
Co-authored-by: sethkfman <10342624+sethkfman@users.noreply.github.com>
Co-authored-by: Mark Stacey <markjstacey@gmail.com>
Co-authored-by: Cal-L <cal.leung@consensys.net>
0 commit comments