fix(security): Patch axios security vulnerabilities.

[jbocce]

Context

See...

1. Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0
2. Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking
3. Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking
4. Axios: Header Injection via Prototype Pollution

Changes & Results

Updated the axios dependency to version 1.15.2.

Testing

Automated tests should pass.

Checklist

PR

• My Pull Request title is descriptive, accurate and follows the
  semantic-release format and guidelines.

Code

• My code has been well-documented (function documentation, inline comments,
  etc.)

Public Documentation Updates

• The documentation page has been updated as necessary for any public API
  additions or removals.

Greptile Summary

This PR patches four axios security advisories (CVE-2025-62718, prototype pollution, header injection) by bumping the axios dependency from 1.15.0 to 1.15.2 in both devDependencies and the resolutions block of package.json, ensuring transitive consumers are also patched.

• package.json and yarn.lock changes are clean and correctly scoped to the axios upgrade.
• bun.lock includes the expected axios bump but also carries ~314 lines of unrelated @ohif internal workspace version advances (3.13.0-beta.64 → 3.13.0-beta.68) that appear to have been included inadvertently.

Confidence Score: 4/5

The axios security upgrade itself is correct and complete — both the direct dependency and the resolutions override are updated and lockfiles regenerated. Safe to merge if the bun.lock workspace version advances are intentional.

The core security fix is well-formed: package.json updates the version in two places, yarn.lock resolves correctly, and the resolutions block ensures nested packages also get the patched version. The only concern is that bun.lock includes a large block of internal @OHIF workspace version bumps (beta.64 → beta.68) that appear unrelated to the stated purpose. Whether those changes are intentional should be confirmed before merging.

bun.lock — contains workspace-version changes beyond the axios patch that warrant a second look

Important Files Changed

Filename	Overview
package.json	Bumps axios from 1.15.0 to 1.15.2 in both devDependencies and resolutions, correctly covering transitive dependencies.
yarn.lock	Yarn lockfile updated to resolve axios to 1.15.2 with the correct registry hash; change is scoped to the single axios entry.
bun.lock	Contains the expected axios 1.15.0→1.15.2 bump, but also includes 314 lines of @OHIF internal package version changes (beta.64→beta.68) unrelated to the stated security fix.

Comments Outside Diff (1)

1. bun.lock, line 50 (link)

   Unrelated workspace version bumps included in lockfile

   bun.lock contains ~314 line changes where internal @ohif package references advance from 3.13.0-beta.64 to 3.13.0-beta.68, which is unrelated to the stated axios security patch. These changes may have been pulled in when bun install was re-run after editing package.json. If the repo is using both yarn and bun lock files, consider regenerating only bun.lock from a clean state against the target branch, or confirming these workspace-version changes are intentional before merging.

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: bun.lock
   Line: 50
   
   Comment:
   **Unrelated workspace version bumps included in lockfile**
   
   `bun.lock` contains ~314 line changes where internal `@ohif` package references advance from `3.13.0-beta.64` to `3.13.0-beta.68`, which is unrelated to the stated axios security patch. These changes may have been pulled in when `bun install` was re-run after editing `package.json`. If the repo is using both `yarn` and `bun` lock files, consider regenerating only `bun.lock` from a clean state against the target branch, or confirming these workspace-version changes are intentional before merging.
   
   How can I resolve this? If you propose a fix, please make it concise.

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
bun.lock:50
**Unrelated workspace version bumps included in lockfile**

`bun.lock` contains ~314 line changes where internal `@ohif` package references advance from `3.13.0-beta.64` to `3.13.0-beta.68`, which is unrelated to the stated axios security patch. These changes may have been pulled in when `bun install` was re-run after editing `package.json`. If the repo is using both `yarn` and `bun` lock files, consider regenerating only `bun.lock` from a clean state against the target branch, or confirming these workspace-version changes are intentional before merging.

_{Reviews (1): Last reviewed commit: "Patch axios security vulnerabilities." | Re-trigger Greptile}

[netlify]

✅ Deploy Preview for ohif-dev ready!

Name	Link
🔨 Latest commit	f581163
🔍 Latest deploy log	https://app.netlify.com/projects/ohif-dev/deploys/69fb7a2d8259600008f33999
😎 Deploy Preview	https://deploy-preview-5998--ohif-dev.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[jbocce]

@greptileai the changes you flagged in the bun.lock file are typical of the OHIF build process whenever the bun.lock file changes.

[greptile-apps]

Got it, thanks for the context. If those workspace version advances are an expected artifact of the OHIF build process whenever bun.lock is regenerated, then there's nothing to worry about here. The PR looks good — the axios security fix is correctly applied in both package.json and the lockfiles.

Tip: You can give me more context with .greptile/rules.md so I get this right next time.