[Dependency] Default axios version is vulnerable (GHSA-4hjh-wcwx-xvwj)

[stefanherdy]

Description:

The current @openapitools/openapi-generator-cli NPM package 📦️ depends on axios ^1.8.4.
This axios version is affected by (CVE-2025-58754), a DoS vulnerability.

All axios versions < 1.12.0 are affected.

Impact

This means any project that installs the OpenAPI package will immediately fail npm audit or other security scans.

Steps to Reproduce

Run:
npm install @openapitools/openapi-generator-cli
npm audit

See error:

npm audit report
axios <1.12.0
Severity: high
Axios is vulnerable to DoS attack through lack of data size check - GHSA-4hjh-wcwx-xvwj
fix available via npm audit fix --force
Will install @openapitools/openapi-generator-cli@2.7.0, which is a breaking change
node_modules/axios
@openapitools/openapi-generator-cli >=2.8.0
Depends on vulnerable versions of axios
node_modules/@openapitools/openapi-generator-cli

Expected behavior

The NPM package should depend on axios ^1.12.0 or newer so that projects can pass npm audit by default.

Suggested fix

Update the axios dependency in the generator’s package.json to ^1.12.0

Operation System (Issue should be independend of the used OS) :

• OS: Windows 11

Package System:

• npm version: 11.6.0
• node version: v22.18.0

Additional context

This issue blocks the usage of the NPM package in environments where npm audit failures or security policy compliance are enforced. Even though the vulnerability is in axios, the fact that the OpenAPI Generator package ships with an outdated version affects every project that includes it.

[wing328]

Update the axios dependency in the generator’s package.json to ^1.12.0

can you please file a PR with the suggested fix? thank you

[stefanherdy]

Update the axios dependency in the generator’s package.json to ^1.12.0

can you please file a PR with the suggested fix? thank you

A PR was made here: #995
Thanks for your response!