chore: [sc-13928] CVE-2025-62718: internal-tools-v3, react-addsearch-ui, ready-made-recommendation-widget, admin-panel-react

[haoAddsearch]

Story details: https://app.shortcut.com/addsearch/story/13928

Summary by CodeRabbit

• Chores
  • Patch version 1.2.3 released with dependency updates and maintenance improvements
  • Core runtime dependencies updated to latest compatible versions for enhanced compatibility and ecosystem integration
  • Refined dependency version constraints and overrides implemented to improve overall dependency management and resolution across the application ecosystem

[coderabbitai]

Walkthrough

Package version is incremented from 1.2.2 to 1.2.3, and dependencies are updated: axios upgraded from ^1.12.0 to ^1.15.0, serialize-javascript override bumped from ^7.0.4 to ^7.0.5, and new overrides added for brace-expansion and picomatch.

Changes

Cohort / File(s)	Summary
Package Configuration package.json	Version increment (1.2.2 → 1.2.3), axios dependency upgrade (^1.12.0 → ^1.15.0), serialize-javascript override update (^7.0.4 → ^7.0.5), and new overrides for brace-expansion (^2.0.3) and picomatch (^4.0.2).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• Sc 13494/CVE 2026 25639 #95 — Continues versioning sequence from 1.2.1 → 1.2.2, now bumped to 1.2.3.
• chore: [sc-12641] patch-vulnerability #92 — Previous axios dependency upgrade to ^1.12.0, now further updated to ^1.15.0.
• Increase version 1.1.2 #90 — Earlier package.json version bump in the same versioning pattern.

Suggested labels

claude-code-assisted

Suggested reviewers

• tomasz-addsearch
• italo-addsearch
• kanarupan-addsearch

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title mentions specific CVE and package names but doesn't clearly summarize the actual change—dependency updates and version bump—making it overly broad and not directly reflective of the main technical modification.	Consider revising the title to focus on the primary change, such as 'chore: update dependencies to address CVE-2025-62718' or 'chore: bump axios and patch dependencies for security', which would be clearer for teammates reviewing history.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sc-13928/cve-2025-62718

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

🧹 Nitpick comments (2)

package.json (2)

49-49: Address AxiosHeaders typing change in request interceptors.

The upgrade to axios ^1.15.0 includes a breaking TypeScript change introduced in v1.12.0: InternalAxiosRequestConfig.headers is now an AxiosHeaders class instance instead of a plain object. The current code in src/api.ts (line 27) uses a type assertion workaround (headers: config.headers as Record<string, string>), which should be replaced with proper AxiosHeaders handling (e.g., new AxiosHeaders(config.headers) or using .set() methods).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 49, The request interceptor in src/api.ts currently
uses a type assertion (headers: config.headers as Record<string, string>) which
breaks with axios v1.15 where InternalAxiosRequestConfig.headers is an
AxiosHeaders instance; replace the assertion with proper AxiosHeaders handling
by importing AxiosHeaders from 'axios' and either constructing a new instance
(e.g., new AxiosHeaders(config.headers)) or treating config.headers as
AxiosHeaders and using its .set()/.toJSON() methods before assigning to outgoing
requests; update the interceptor code where axios.interceptors.request.use (or
the function handling config) mutates headers to use AxiosHeaders APIs instead
of plain-object casts.

---

89-91: Pin overrides to exact versions for deterministic CVE remediation.

Lines 89-91 use ranged overrides (^). For security fixes, exact versions eliminate semver resolution variability and ensure reproducible builds across fresh installs. Note that braces on line 88 is already pinned exactly.

Suggested change

-    "serialize-javascript": "^7.0.5",
-    "brace-expansion": "^2.0.3",
-    "picomatch": "^4.0.2"
+    "serialize-javascript": "7.0.5",
+    "brace-expansion": "2.0.3",
+    "picomatch": "4.0.2"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 89 - 91, The overrides list uses caret ranges for
"serialize-javascript", "brace-expansion", and "picomatch", which allows semver
variation; update the package.json overrides to pin these three packages to
exact versions (remove the leading ^ and set the specific resolved version
numbers) so installs are deterministic and match the CVE remediation; ensure
format matches the existing "braces" entry and run a fresh lockfile update
afterwards to lock transitive deps.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@package.json`:
- Line 49: The request interceptor in src/api.ts currently uses a type assertion
(headers: config.headers as Record<string, string>) which breaks with axios
v1.15 where InternalAxiosRequestConfig.headers is an AxiosHeaders instance;
replace the assertion with proper AxiosHeaders handling by importing
AxiosHeaders from 'axios' and either constructing a new instance (e.g., new
AxiosHeaders(config.headers)) or treating config.headers as AxiosHeaders and
using its .set()/.toJSON() methods before assigning to outgoing requests; update
the interceptor code where axios.interceptors.request.use (or the function
handling config) mutates headers to use AxiosHeaders APIs instead of
plain-object casts.
- Around line 89-91: The overrides list uses caret ranges for
"serialize-javascript", "brace-expansion", and "picomatch", which allows semver
variation; update the package.json overrides to pin these three packages to
exact versions (remove the leading ^ and set the specific resolved version
numbers) so installs are deterministic and match the CVE remediation; ensure
format matches the existing "braces" entry and run a fresh lockfile update
afterwards to lock transitive deps.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 60c2bb25-c4f6-4704-b527-c49e7794f9b7

📥 Commits

Reviewing files that changed from the base of the PR and between 0336165 and 4e22cd4.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json