Skip to content

Bump jest-puppeteer and puppeteer to resolve axios CVE-2026-40175#23169

Merged
enricobattocchi merged 2 commits intotrunkfrom
fix/dependabot-702-axios-cve
Apr 16, 2026
Merged

Bump jest-puppeteer and puppeteer to resolve axios CVE-2026-40175#23169
enricobattocchi merged 2 commits intotrunkfrom
fix/dependabot-702-axios-cve

Conversation

@enricobattocchi
Copy link
Copy Markdown
Member

@enricobattocchi enricobattocchi commented Apr 16, 2026
edited by tatasha2004
Loading

Context

Addresses Dependabot alert #702 (CVE-2026-40175, CVSS 10.0): Axios is vulnerable to CRLF header injection enabling HTTP request smuggling and cloud metadata exfiltration (SSRF).

Note: Despite the critical CVSS score, this vulnerability had no real impact on the plugin or its users. Axios is exclusively a transitive development dependency — it is not bundled or shipped with the plugin. It was pulled in by dev/build/test tooling only (lernanx, @wordpress/scriptswait-on, jest-puppeteerwait-on). The vulnerability requires a prototype pollution gadget combined with axios making HTTP requests in a server context, which is not a realistic attack vector through build or test tooling. This PR resolves the alert for housekeeping purposes.

Summary

This PR can be summarized in the following changelog entry:

  • Bumps transitive dev dependency axios from 0.25.0/1.2.6/1.11.0 to 1.15.0 to resolve a critical security vulnerability.

Relevant technical choices:

  • Bumped jest-puppeteer from ^6.2.0 to ^11.0.0 and puppeteer from ^9.0.0 to ^24.41.0 in packages/e2e-tests/package.json. This was necessary because the old jest-puppeteer@6 chain (jest-environment-puppeteerjest-dev-serverwait-on@6axios@^0.25.0) was locked to a semver range that could never reach the patched version. The new chain uses wait-on@8 which depends on axios@^1.12.1.
  • Bumped jest and babel-jest from ^27.5.1/^26.6.3 to ^29.7.0 to align with jest-environment-node@^29.7.0 pulled in by jest-puppeteer@^11, avoiding multiple Jest versions and API incompatibilities.
  • Removed stale axios entries from yarn.lock and re-resolved, so all three transitive axios ranges (^1.0.0 from nx, ^1.6.1 from @wordpress/scripts, ^1.12.1 from the new wait-on@8) now resolve to a single axios@1.15.0.
  • The packages/e2e-tests package is not actively used, so the major version bumps in its test infrastructure carry no risk to CI or production.

Test instructions

Test instructions for the acceptance test before the PR gets merged

This PR can be acceptance tested by following these steps:

  • Verify yarn install completes without errors.
  • Verify no axios version below 1.15.0 appears in yarn.lock (grep "axios" yarn.lock).

Relevant test scenarios

  • Changes should be tested with the browser console open
  • Changes should be tested on different posts/pages/taxonomies/custom post types/custom taxonomies
  • Changes should be tested on different editors (Default Block/Gutenberg/Classic/Elementor/other)
  • Changes should be tested on different browsers
  • Changes should be tested on multisite

Test instructions for QA when the code is in the RC

  • QA should use the same steps as above.

Impact check

This PR affects the following parts of the plugin, which may require extra testing:

  • None — only packages/e2e-tests/package.json and yarn.lock are changed (dev dependency resolution).

Other environments

  • This PR also affects Shopify. I have added a changelog entry starting with [shopify-seo], added test instructions for Shopify and attached the Shopify label to this PR.
  • This PR also affects Yoast SEO for Google Docs. I have added a changelog entry starting with [yoast-doc-extension], added test instructions for Yoast SEO for Google Docs and attached the Google Docs Add-on label to this PR.

Documentation

  • I have written documentation for this change. For example, comments in the Relevant technical choices, comments in the code, documentation on Confluence / shared Google Drive / Yoast developer portal, or other.

Quality assurance

  • I have tested this code to the best of my abilities.
  • During testing, I had activated all plugins that Yoast SEO provides integrations for.
  • I have added unit tests to verify the code works as intended.
  • If any part of the code is behind a feature flag, my test instructions also cover cases where the feature flag is switched off.
  • I have written this PR in accordance with my team's definition of done.
  • I have checked that the base branch is correctly set.
  • I have run grunt build:images and commited the results, if my PR introduces new images or SVGs.

Innovation

  • No innovation project is applicable for this PR.
  • This PR falls under an innovation project. I have attached the innovation label.
  • I have added my hours to the WBSO document.

@enricobattocchi @claude
fix(deps): bump jest-puppeteer and puppeteer to resolve axios CVE-202…
b963425 
…6-40175

Bumps jest-puppeteer from ^6.2.0 to ^11.0.0 and puppeteer from ^9.0.0
to ^24.41.0 in the e2e-tests package. This eliminates the transitive
dependency on axios@0.25.0 (via wait-on@6) which was vulnerable to CRLF
header injection (GHSA-fvcv-3m26-pcqx, CVSS 10.0).

Also re-resolves the remaining axios lockfile entries so all transitive
axios dependencies now resolve to 1.15.0 (patched).

Addresses Dependabot alert #702.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@enricobattocchi enricobattocchi added the changelog: non-user-facing Needs to be included in the 'Non-userfacing' category in the changelog label Apr 16, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 16, 2026

@enricobattocchi Please be aware that following packages have been abandoned and are not actively maintained anymore:

Package name Path
@yoast/babel-preset packages/babel-preset
@yoast/components packages/components
@yoast/e2e-tests packages/e2e-tests
@yoast/helpers packages/helpers
@yoast/jest-preset packages/jest-preset
@yoast/style-guide packages/style-guide
eslint-config-yoast packages/esling-config-yoast

Please consider using the other packages instead.

@enricobattocchi enricobattocchi requested a review from Copilot April 16, 2026 12:43
@coveralls
Copy link
Copy Markdown

coveralls commented Apr 16, 2026
edited
Loading

Coverage Report for CI Build 5

Coverage at 53.429% (no base build to compare)

Details

  • Coverage remained the same as the base build.
  • Patch coverage: No coverable lines changed in this PR.
  • No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.

Coverage Stats

Coverage Status
Relevant Lines: 64957
Covered Lines: 34550
Line Coverage: 53.19%
Relevant Branches: 16651
Covered Branches: 9052
Branch Coverage: 54.36%
Branches in Coverage %: Yes
Coverage Strength: 46309.03 hits per line
💛 - Coveralls

Copilot AI reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the E2E test tooling dependency chain to eliminate vulnerable transitive axios versions and converge on a single patched axios@1.15.0.

Changes:

  • Bump jest-puppeteer to ^11.0.0 and puppeteer to ^24.41.0 in packages/e2e-tests.
  • Re-resolve yarn.lock so all transitive axios ranges resolve to axios@1.15.0.
  • Update related transitive dependencies (wait-on@8, joi@18, follow-redirects@1.16.0, etc.) as part of the re-lock.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
packages/e2e-tests/package.json Major bumps to puppeteer tooling to move off the vulnerable axios chain.
yarn.lock Lockfile re-resolution to consolidate to a single patched axios@1.15.0 and reflect updated transitive deps.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread packages/e2e-tests/package.json Outdated
@enricobattocchi @claude
fix(deps): bump jest and babel-jest to ^29.7.0 in e2e-tests package
7044843 
Aligns jest and babel-jest with jest-environment-node@^29.7.0 pulled in
by jest-puppeteer@^11, avoiding multiple Jest versions and potential API
incompatibilities.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 16, 2026

@enricobattocchi Please be aware that following packages have been abandoned and are not actively maintained anymore:

Package name Path
@yoast/babel-preset packages/babel-preset
@yoast/components packages/components
@yoast/e2e-tests packages/e2e-tests
@yoast/helpers packages/helpers
@yoast/jest-preset packages/jest-preset
@yoast/style-guide packages/style-guide
eslint-config-yoast packages/esling-config-yoast

Please consider using the other packages instead.

@enricobattocchi enricobattocchi added this to the 27.6 milestone Apr 16, 2026
@enricobattocchi enricobattocchi merged commit e0fec02 into trunk Apr 16, 2026
23 checks passed
@enricobattocchi enricobattocchi deleted the fix/dependabot-702-axios-cve branch April 16, 2026 13:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

changelog: non-user-facing Needs to be included in the 'Non-userfacing' category in the changelog

Projects

None yet

Milestone

27.6

Development

Successfully merging this pull request may close these issues.

3 participants

@enricobattocchi @coveralls