Skip to content

fix: pin axios to 1.13.2 to prevent upgrade to compromised 1.14.1#986

Merged
sgalsaleh merged 1 commit into
mainfrom
security/pin-axios-version
Mar 31, 2026
Merged

fix: pin axios to 1.13.2 to prevent upgrade to compromised 1.14.1#986
sgalsaleh merged 1 commit into
mainfrom
security/pin-axios-version

Conversation

@sgalsaleh

@sgalsaleh sgalsaleh commented Mar 31, 2026

Copy link
Copy Markdown
Member

Summary

  • axios 1.14.1 and 0.30.4 have been identified as compromised npm packages containing a RAT. See axios@1.14.1 and axios@0.30.4 are compromised axios/axios#10604
  • Pins axios to exact version 1.13.2 (removes ^ caret) in web/package.json and web/package-lock.json
  • Prevents npm install from resolving to the compromised 1.14.1

Test plan

  • Verify npm install in web/ does not upgrade axios beyond 1.13.2
  • Verify the web app builds and runs correctly

🤖 Generated with Claude Code

@sgalsaleh @claude
fix: pin axios to 1.13.2 to prevent upgrade to compromised 1.14.1
a6db564 
axios 1.14.1 and 0.30.4 have been identified as compromised versions
containing a remote access trojan (see axios/axios#10604).

This pins the dependency to exact version 1.13.2 (removing the ^
caret) in both package.json and package-lock.json, preventing any
automatic upgrade to 1.14.1.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@sgalsaleh sgalsaleh requested a review from a team as a code owner March 31, 2026 15:24
@netlify

netlify Bot commented Mar 31, 2026
edited
Loading

Copy link
Copy Markdown

Deploy Preview for kurlsh-testgrid-staging ready!

Name Link
🔨 Latest commit a6db564
🔍 Latest deploy log https://app.netlify.com/projects/kurlsh-testgrid-staging/deploys/69cbe71d7b537300082529b5
😎 Deploy Preview https://deploy-preview-986--kurlsh-testgrid-staging.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify

netlify Bot commented Mar 31, 2026
edited
Loading

Copy link
Copy Markdown

Deploy Preview for kurlsh-testgrid ready!

Name Link
🔨 Latest commit a6db564
🔍 Latest deploy log https://app.netlify.com/projects/kurlsh-testgrid/deploys/69cbe71da9435100089e0cfe
😎 Deploy Preview https://deploy-preview-986--kurlsh-testgrid.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@sgalsaleh sgalsaleh merged commit fff25dc into main Mar 31, 2026
11 checks passed
@sgalsaleh sgalsaleh deleted the security/pin-axios-version branch March 31, 2026 15:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@banjoh banjoh banjoh approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sgalsaleh @banjoh