Skip to content

chore(deps): override axios to ^1.15.2 to patch transitive 1.15.0#2419

Merged
jpgough-ms merged 2 commits intofinos:mainfrom
rocketstack-matt:fix/axios-transitive-override
May 6, 2026
Merged

chore(deps): override axios to ^1.15.2 to patch transitive 1.15.0#2419
jpgough-ms merged 2 commits intofinos:mainfrom
rocketstack-matt:fix/axios-transitive-override

Conversation

@rocketstack-matt
Copy link
Copy Markdown
Member

@rocketstack-matt rocketstack-matt commented May 5, 2026

Description

The hoisted root node_modules/axios was stuck at 1.15.0 even after #2417 bumped the workspace direct deps to 1.15.2. The root copy is pulled in to satisfy axios-mock-adapter's axios: ">= 0.17.0" peer dep, and --workspace-scoped installs don't update the root tree, so 10 Dependabot alerts (4 high-severity) stayed open against the transitive copy.

This PR adds axios: ^1.15.2 to the root overrides block in package.json. After npm install --package-lock-only the lockfile collapses the per-workspace calm-hub-ui/, cli/, and shared/node_modules/axios copies into a single hoisted root entry at 1.16.0 (the highest match for ^1.15.2).

npm audit reports axios clean afterwards. Same pattern as the existing picomatch, serialize-javascript, qs, lodash, etc. overrides.

Vulnerabilities resolved

GHSA Severity Summary
GHSA-pf86-5x62-jrwf high Axios: Prototype Pollution Gadgets — Response Tampering, Data Exfiltration, Request Hijacking
GHSA-6chq-wfr3-2hj9 high Axios: Header Injection via Prototype Pollution
GHSA-pmwg-cvhr-8vh7 high Axios: Incomplete fix for CVE-2025-62718 — NO_PROXY bypass via 127.0.0.0/8 in 1.15.0
GHSA-q8qp-cvcw-x6jj high Axios: Prototype pollution read-side gadgets in HTTP adapter
GHSA-445q-vr5w-6q77 medium Axios: CRLF Injection in multipart/form-data via unsanitized blob.type
GHSA-m7pr-hjqh-92cm medium Axios: no_proxy bypass via IP alias allows SSRF
GHSA-xx6v-rp6x-q39c medium Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution
GHSA-w9j2-pvgh-6h63 medium Axios: Authentication Bypass via Prototype Pollution in validateStatus
GHSA-3w6x-2g7m-8v23 medium Axios: Invisible JSON Response Tampering via parseReviver
GHSA-xhjh-pmcv-23jw low Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams

Why Dependabot didn't catch this on its own

Run 25385074152 was green but raised no PR: it inspected the workspace direct deps (already at 1.15.2 after #2417) and the GroupDependencySelector correctly filtered them out — but Dependabot doesn't re-probe the transitive root tree, so the still-vulnerable hoisted 1.15.0 was never seen.

Type of Change

  • 🐛 Bug fix (non-breaking change which fixes an issue)
  • ✨ New feature (non-breaking change which adds functionality)
  • 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • 📚 Documentation update
  • 🎨 Code style/formatting changes
  • ♻️ Refactoring (no functional changes)
  • ⚡ Performance improvements
  • ✅ Test additions or updates
  • 🔧 Chore (maintenance, dependencies, CI, etc.)

Affected Components

  • CLI (cli/)
  • Schema (calm/)
  • CALM AI (calm-ai/)
  • CALM Hub (calm-hub/)
  • CALM Hub UI (calm-hub-ui/)
  • CALM Server (calm-server/)
  • CALM Widgets (calm-widgets/)
  • Documentation (docs/)
  • Shared (shared/)
  • VS Code Extension (calm-plugins/vscode/)
  • Dependencies
  • CI/CD

Testing

  • I have tested my changes locally
  • I have added/updated unit tests
  • All existing tests pass

Verified locally:

  • npm install --package-lock-only --ignore-scripts regenerates the lockfile cleanly
  • After regeneration: node_modules/axios resolves to 1.16.0, all four nested workspace copies collapse into the root
  • npm audit reports axios clean (no remaining axios advisories); other unrelated package vulns are out of scope

Checklist

  • My commits follow the conventional commit format
  • I have updated documentation if necessary
  • I have added tests for my changes (if applicable)
  • My changes follow the project's coding standards

@rocketstack-matt
chore(deps): override axios to ^1.15.2 to patch transitive 1.15.0
b0f0196 
The hoisted root node_modules/axios was stuck at 1.15.0 (pulled in via
axios-mock-adapter's `axios: ">= 0.17.0"` peer dep) even after PR finos#2417
bumped the workspace direct deps to 1.15.2. Workspace-only updates don't
touch the root tree, so 10 Dependabot alerts (4 high) stayed open against
the transitive copy:

- GHSA-pf86-5x62-jrwf (high): Prototype Pollution Gadgets
- GHSA-6chq-wfr3-2hj9 (high): Header Injection via Prototype Pollution
- GHSA-pmwg-cvhr-8vh7 (high): NO_PROXY Bypass via 127.0.0.0/8 in 1.15.0
- GHSA-q8qp-cvcw-x6jj (high): Prototype Pollution in HTTP adapter
- GHSA-445q-vr5w-6q77, GHSA-m7pr-hjqh-92cm, GHSA-xx6v-rp6x-q39c,
  GHSA-w9j2-pvgh-6h63, GHSA-3w6x-2g7m-8v23, GHSA-xhjh-pmcv-23jw

Adding `axios: ^1.15.2` to the root overrides forces npm to resolve a
single hoisted copy that satisfies every consumer. The lockfile now
collapses calm-hub-ui/cli/shared nested copies into one root entry at
1.16.0, the highest match of the override. `npm audit` reports axios
clean.

Signed-off-by: Matthew Bain <matt@rocketstack.co>
Copilot AI review requested due to automatic review settings May 5, 2026 20:40
@rocketstack-matt rocketstack-matt requested a review from a team as a code owner May 5, 2026 20:40
@github-actions github-actions Bot added the config label May 5, 2026
Copilot AI reviewed May 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses unresolved security alerts caused by a hoisted, transitive root axios install staying on a vulnerable version despite workspace-level bumps, by enforcing a safe minimum via root-level overrides.

Changes:

  • Added a root overrides entry for axios (^1.15.2) to force the hoisted/root resolution off 1.15.0.
  • Regenerated package-lock.json so axios is hoisted and resolved to 1.16.0, collapsing prior per-workspace duplicate installs.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
package.json Adds a root overrides rule to force axios to a patched range.
package-lock.json Updates the lockfile to reflect the new override/hoisting (root axios now resolves to 1.16.0).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jpgough-ms jpgough-ms merged commit 4341944 into finos:main May 6, 2026
21 checks passed
@rocketstack-matt rocketstack-matt deleted the fix/axios-transitive-override branch May 6, 2026 10:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jpgough-ms jpgough-ms jpgough-ms approved these changes

Assignees

No one assigned

Labels

config

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rocketstack-matt @jpgough-ms