Commit 4341944
authored
chore(deps): override axios to ^1.15.2 to patch transitive 1.15.0 (#2419)
The hoisted root node_modules/axios was stuck at 1.15.0 (pulled in via
axios-mock-adapter's `axios: ">= 0.17.0"` peer dep) even after PR #2417
bumped the workspace direct deps to 1.15.2. Workspace-only updates don't
touch the root tree, so 10 Dependabot alerts (4 high) stayed open against
the transitive copy:
- GHSA-pf86-5x62-jrwf (high): Prototype Pollution Gadgets
- GHSA-6chq-wfr3-2hj9 (high): Header Injection via Prototype Pollution
- GHSA-pmwg-cvhr-8vh7 (high): NO_PROXY Bypass via 127.0.0.0/8 in 1.15.0
- GHSA-q8qp-cvcw-x6jj (high): Prototype Pollution in HTTP adapter
- GHSA-445q-vr5w-6q77, GHSA-m7pr-hjqh-92cm, GHSA-xx6v-rp6x-q39c,
GHSA-w9j2-pvgh-6h63, GHSA-3w6x-2g7m-8v23, GHSA-xhjh-pmcv-23jw
Adding `axios: ^1.15.2` to the root overrides forces npm to resolve a
single hoisted copy that satisfies every consumer. The lockfile now
collapses calm-hub-ui/cli/shared nested copies into one root entry at
1.16.0, the highest match of the override. `npm audit` reports axios
clean.
Signed-off-by: Matthew Bain <matt@rocketstack.co>1 parent 5747fa3 commit 4341944
2 files changed
Lines changed: 8 additions & 136 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
77 | 77 | | |
78 | 78 | | |
79 | 79 | | |
| 80 | + | |
80 | 81 | | |
81 | 82 | | |
82 | 83 | | |
| |||
0 commit comments