Skip to content

[CVE-2025-58754] Bump axios requiring breaking changes in multiple packages #10685

@ananzh

Description

@ananzh

Axios is required to bump to 1.12.0. We can't easily bump it due to breaking changes

ERROR [bootstrap] failed:
ERROR Error: Command failed with exit code 2: /opt/homebrew/lib/node_modules/yarn/bin/yarn.js run osd:bootstrap
      error Command failed with exit code 2.
      error Command failed with exit code 2.
      $ yarn build
      $ tsc
      ../../node_modules/axios/index.d.ts(428,3): error TS2416: Property 'cause' in type 'AxiosError<T, D>' is not assignable to the same property in base type 'Error'.
        Type 'unknown' is not assignable to type 'Error | undefined'.
      info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
      info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
          at makeError (/Users/ananzh/OpenSearch-Dashboards/packages/osd-pm/dist/index.js:27527:11)
          at handlePromise (/Users/ananzh/OpenSearch-Dashboards/packages/osd-pm/dist/index.js:26461:26)
          at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
          at async /Users/ananzh/OpenSearch-Dashboards/packages/osd-pm/dist/index.js:9283:11
          at async scheduleItem (/Users/ananzh/OpenSearch-Dashboards/packages/osd-pm/dist/index.js:11336:9)
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.

The issue is that axios 1.12.0 changed the AxiosError.cause property type from Error | undefined to unknown. This is a breaking change that affects TypeScript compatibility. The codebase is currently extending AxiosError in several places which expect the cause property to be Error | undefined. Meanwhile, based on the release and our usages, there are other APIs that might need to update:

AxiosResponse export may have changed
axios.request method structure changed
AxiosError.config property may have changed
Various type definitions have been updated

Metadata

Metadata

Assignees

No one assigned

    Labels

    cveSecurity vulnerabilities detected by Dependabot or Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions