[Snyk] Security upgrade axios from 1.13.1 to 1.13.5 #172
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AXIOS-15252993
There was a problem hiding this comment.
Pull request overview
This Snyk-generated PR aims to remediate a reported high-severity axios vulnerability by upgrading the axios dependency version in the Node.js project.
Changes:
- Bump
axiosdependency from^1.13.1to^1.13.5inpackage.json.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@mercuryworkshop/scramjet": "https://github.com/MercuryWorkshop/scramjet/releases/download/latest/mercuryworkshop-scramjet-2.0.0-alpha.tgz", | ||
| "@mercuryworkshop/wisp-js": "^0.3.3", | ||
| "axios": "^1.13.1", | ||
| "axios": "^1.13.5", |
There was a problem hiding this comment.
axios is bumped in package.json, but package-lock.json in this repo still pins node_modules/axios to 1.13.1. With npm installs that honor the lockfile (default in CI), this PR won’t actually upgrade the installed version and therefore won’t remediate the vulnerability. Please regenerate and commit an updated package-lock.json (e.g., run npm install / npm update axios), ensuring it resolves to 1.13.5+.
| "axios": "^1.13.5", | |
| "axios": "^1.13.6", |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7bff332e92
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "@mercuryworkshop/scramjet": "https://github.com/MercuryWorkshop/scramjet/releases/download/latest/mercuryworkshop-scramjet-2.0.0-alpha.tgz", | ||
| "@mercuryworkshop/wisp-js": "^0.3.3", | ||
| "axios": "^1.13.1", | ||
| "axios": "^1.13.5", |
There was a problem hiding this comment.
Changing package.json to axios@^1.13.5 without regenerating package-lock.json leaves the lockfile pinned to axios 1.13.1 (package-lock.json entries at lines 16 and 491), so environments that install from the lockfile (for example, frozen-lockfile or clean-lockfile workflows) will still use the vulnerable version and not receive the intended security fix.
Useful? React with 👍 / 👎.
|
hmmm |
3 participants
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-AXIOS-15252993
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Prototype Pollution