fix: bump axios to ^1.15.0 to address CVE-2026-40175

[crackcodecamp]

Axios prior to 1.15.0 is vulnerable to a Prototype Pollution escalation that can lead to Remote Code Execution. Bumps direct dependencies and adds a root override to ensure all transitive copies are also updated.

Summary

• Bumps axios from ^1.12.0 to ^1.15.0 in frontend and packages/contract-tests to
  fix CVE-2026-40175
• Adds axios: ^1.15.0 override in root package.json to ensure transitive dependencies
  (@module-federation/dts-plugin, wait-on) also resolve to the fixed version

CVE Details

• CVE: CVE-2026-40175
• Description: Axios prior to 1.15.0 is vulnerable to a "Gadget" attack chain that
  allows Prototype Pollution in any third-party dependency to be escalated into Remote Code
  Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass)
• Fix: Axios 1.15.0
• Trackers: RHOAIENG-57809, RHOAIENG-57810

Summary by CodeRabbit

• Chores
  • Updated HTTP client library to v1.15.0 across the project for more consistent dependency resolution, stability, and performance.
  • Added dependency override entries in front-end packages to enforce the new HTTP client version uniformly.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Organization UI (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: bcacce09-965d-405a-993f-6727b0f08618

📥 Commits

Reviewing files that changed from the base of the PR and between bcc5ea9 and 91180d0.

⛔ Files ignored due to path filters (9)

• package-lock.json is excluded by !**/package-lock.json, !package-lock.json
• packages/automl/frontend/package-lock.json is excluded by !**/package-lock.json
• packages/autorag/frontend/package-lock.json is excluded by !**/package-lock.json
• packages/eval-hub/frontend/package-lock.json is excluded by !**/package-lock.json
• packages/gen-ai/frontend/package-lock.json is excluded by !**/package-lock.json
• packages/maas/frontend/package-lock.json is excluded by !**/package-lock.json
• packages/mlflow/frontend/package-lock.json is excluded by !**/package-lock.json
• packages/notebooks/upstream/workspaces/frontend/package-lock.json is excluded by !**/package-lock.json, !**/upstream/**
• packages/notebooks/upstream/workspaces/frontend/package.json is excluded by !**/upstream/**

📒 Files selected for processing (9)

• frontend/package.json
• package.json
• packages/automl/frontend/package.json
• packages/autorag/frontend/package.json
• packages/contract-tests/package.json
• packages/eval-hub/frontend/package.json
• packages/gen-ai/frontend/package.json
• packages/maas/frontend/package.json
• packages/mlflow/frontend/package.json

✅ Files skipped from review due to trivial changes (8)

• packages/automl/frontend/package.json
• packages/maas/frontend/package.json
• packages/contract-tests/package.json
• packages/mlflow/frontend/package.json
• frontend/package.json
• packages/gen-ai/frontend/package.json
• packages/eval-hub/frontend/package.json
• packages/autorag/frontend/package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json

---

📝 Walkthrough

Walkthrough

Multiple package manifest files were edited to standardize axios usage: root package.json gained an overrides.axios entry pinned to ^1.15.0 (keeping form-data at ^4.0.4), several frontend package.json files added the same axios override, frontend/package.json relaxed its axios range from ^1.12.0 to ^1.15.0, and packages/contract-tests/package.json bumped its axios devDependency to ^1.15.0. No source code, exported APIs, or runtime logic were changed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

---

Actionable Issues

• Verify security impact: review axios release notes and official security advisories (NVD/GitHub) between 1.12.0 and 1.15.0 for any CVE fixes or regressions before merging.
• Run dependency-resolution and lockfile update, then audit the resulting lockfile (e.g., npm audit / yarn audit) and report any new or unresolved vulnerabilities.
• Run unit/integration tests that exercise HTTP client behavior (timeouts, header handling, redirects, error handling) to detect behavioral or breaking changes.

🚥 Pre-merge checks | ✅ 1 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description provides CVE details, affected files, and the rationale (transitive dependency management), but omits required sections from the template: testing instructions, test impact, and pre-merge self-checklist items.	Add 'How Has This Been Tested?' and 'Test Impact' sections detailing verification steps. Complete the self-checklist confirming manual testing, test coverage reasoning, and cluster validation plans.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: bumping axios to a specific version to address a named CVE vulnerability.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Around line 119-120: The root override doesn't affect nested packages with
their own lockfiles; update each nested package's package.json dependency
"axios" to "^1.15.0" (packages/automl/frontend, packages/autorag/frontend,
packages/eval-hub/frontend, packages/gen-ai/frontend, packages/maas/frontend,
packages/mlflow/frontend, packages/notebooks/upstream/workspaces/frontend) and
then regenerate the package-lock.json in each by running the package's install
(e.g., npm install or npm ci) so the lockfile resolves to the safe axios range;
after updating, run npm audit (or your CI scan) in each package to confirm
CVE-2026-40175 is no longer present.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Organization UI (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 732a7726-9c8a-423c-a29b-ec98248a29db

📥 Commits

Reviewing files that changed from the base of the PR and between 1ffb866 and bcc5ea9.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json, !package-lock.json

📒 Files selected for processing (3)

• frontend/package.json
• package.json
• packages/contract-tests/package.json

[dpanshug]

/lgtm Verified this by running locally on latest cluster

=== Root ===
odh-dashboard@2.0.0 /Users/dipgupta/Documents/odh/odh-dashboard
├─┬ @odh-dashboard/contract-tests@0.0.0 -> ./packages/contract-tests
│ └── axios@1.15.0 overridden
├─┬ @odh-dashboard/observability@0.0.0 -> ./packages/observability
│ └─┬ @perses-dev/plugin-system@0.53.1
│   └─┬ @module-federation/enhanced@0.21.6
│     └─┬ @module-federation/dts-plugin@0.21.6
│       └── axios@1.15.0 deduped
└─┬ odh-dashboard-frontend@2.0.0 -> ./frontend
  ├─┬ @module-federation/enhanced@0.18.4
  │ └─┬ @module-federation/dts-plugin@0.18.4
  │   └── axios@1.15.0 deduped
  ├── axios@1.15.0 deduped
  └─┬ wait-on@7.2.0
    └── axios@1.15.0 deduped


=== gen-ai ===
gen-ai@0.0.2 /Users/dipgupta/Documents/odh/odh-dashboard/packages/gen-ai/frontend
└─┬ @module-federation/enhanced@0.13.1
  └─┬ @module-federation/dts-plugin@0.13.1
    └── axios@1.15.0 overridden


=== maas ===
maas-ui@1.0.0 /Users/dipgupta/Documents/odh/odh-dashboard/packages/maas/frontend
└─┬ @module-federation/enhanced@0.21.6
  └─┬ @module-federation/dts-plugin@0.21.6
    └── axios@1.15.0 overridden


=== model-registry ===
model-registry-ui@1.0.0 /Users/dipgupta/Documents/odh/odh-dashboard/packages/model-registry/upstream/frontend
└─┬ @module-federation/enhanced@0.21.6
  └─┬ @module-federation/dts-plugin@0.21.6
    └── axios@1.15.0


=== automl ===
automl-ui@1.0.0 /Users/dipgupta/Documents/odh/odh-dashboard/packages/automl/frontend
└─┬ @module-federation/enhanced@0.21.4
  └─┬ @module-federation/dts-plugin@0.21.4
    └── axios@1.15.0 overridden


=== autorag ===
autorag-ui@1.0.0 /Users/dipgupta/Documents/odh/odh-dashboard/packages/autorag/frontend
└─┬ @module-federation/enhanced@0.21.4
  └─┬ @module-federation/dts-plugin@0.21.4
    └── axios@1.15.0 overridden


=== eval-hub ===
eval-hub-ui@1.0.0 /Users/dipgupta/Documents/odh/odh-dashboard/packages/eval-hub/frontend
└─┬ @module-federation/enhanced@0.21.4
  └─┬ @module-federation/dts-plugin@0.21.4
    └── axios@1.15.0 overridden


=== mlflow ===
mlflow-ui@1.0.0 /Users/dipgupta/Documents/odh/odh-dashboard/packages/mlflow/frontend
└─┬ @module-federation/enhanced@0.21.4
  └─┬ @module-federation/dts-plugin@0.21.4
    └── axios@1.15.0 overridden


=== notebooks ===
kubeflow-workspaces-frontend@0.0.1 /Users/dipgupta/Documents/odh/odh-dashboard/packages/notebooks/upstream/workspaces/frontend
├─┬ @module-federation/enhanced@0.18.4
│ └─┬ @module-federation/dts-plugin@0.18.4
│   └── axios@1.15.0 deduped
└── axios@1.15.0 overridden

[dpanshug]

/retest

[dpanshug]

/retest-required

[dpanshug]

@crackcodecamp can you rebase with main to rerun the tests

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.89%. Comparing base (596b3ea) to head (91180d0).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7225      +/-   ##
==========================================
+ Coverage   64.81%   64.89%   +0.08%     
==========================================
  Files        2441     2441              
  Lines       75996    75996              
  Branches    19158    19158              
==========================================
+ Hits        49257    49320      +63     
+ Misses      26739    26676      -63     

see 24 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 596b3ea...91180d0. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[dpanshug]

/lgtm

[manaswinidas]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dpanshug, manaswinidas

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [manaswinidas]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment