Skip to content

ECHOES-1272 Update version of axios to fix CVE-2025-62718#667

Merged
gregaubert merged 1 commit intomainfrom
greg/axios
Apr 10, 2026
Merged

ECHOES-1272 Update version of axios to fix CVE-2025-62718#667
gregaubert merged 1 commit intomainfrom
greg/axios

Conversation

@gregaubert
Copy link
Copy Markdown
Member

@gregaubert gregaubert commented Apr 10, 2026

Part of

@hashicorp-vault-sonar-prod hashicorp-vault-sonar-prod Bot changed the title Update version of axios to fix vulnerability ECHOES-1272 Update version of axios to fix vulnerability Apr 10, 2026
@hashicorp-vault-sonar-prod
Copy link
Copy Markdown

hashicorp-vault-sonar-prod Bot commented Apr 10, 2026
edited by atlassian Bot
Loading

ECHOES-1272

@sonar-review-alpha
Copy link
Copy Markdown

sonar-review-alpha Bot commented Apr 10, 2026
edited
Loading

Summary

This PR pins axios to 1.15.0 via a resolutions override to address a vulnerability in the transitive dependency chain. The vulnerable version (1.13.2) is required by sonarqube-scanner 4.3.4, but version 1.15.0 is compatible with the scanner and newer versions of its dependencies (follow-redirects, form-data, proxy-from-env). The sonarqube-scanner package itself is also bumped from 4.3.4 to 4.3.5 as part of this update.

What reviewers should know

What changed:

  • package.json: Added "axios": "1.15.0" to resolutions, bumped sonarqube-scanner to 4.3.5
  • package.json.md: Documented the axios override and its security rationale
  • yarn.lock: Locked axios to 1.15.0 and updated its dependencies and transitive deps used by sonarqube-scanner

What to check:

  • Verify the vulnerability being fixed is documented (check axios changelog between 1.13.2→1.15.0)
  • Confirm sonarqube-scanner 4.3.5 works with axios 1.15.0 (it should, but check for any known incompatibilities)
  • Review whether any other parts of the app depend directly on axios and would be affected by the newer version

Note: This is a dependency-tree fix, not application code changes. The main risk is transitive dependency compatibility, which appears safe based on the updated sonarqube-scanner version.

  • Generate Walkthrough
  • Generate Diagram

🗣️ Give feedback

@gregaubert gregaubert changed the title ECHOES-1272 Update version of axios to fix vulnerability ECHOES-1272 Update version of axios to fix CVE-2025-62718 Apr 10, 2026
@netlify
Copy link
Copy Markdown

netlify Bot commented Apr 10, 2026
edited
Loading

Deploy Preview for echoes-react ready!

Name Link
🔨 Latest commit 0439da6
🔍 Latest deploy log https://app.netlify.com/projects/echoes-react/deploys/69d8a9aa81b3ca00083f0122
😎 Deploy Preview https://deploy-preview-667--echoes-react.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@gregaubert gregaubert enabled auto-merge (squash) April 10, 2026 07:43
@sonarqube-next
Copy link
Copy Markdown

sonarqube-next Bot commented Apr 10, 2026

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
No data about Duplication

See analysis details on SonarQube

@gregaubert gregaubert merged commit c086868 into main Apr 10, 2026
10 of 11 checks passed
@gregaubert gregaubert deleted the greg/axios branch April 10, 2026 08:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@david-cho-lerat-sonarsource david-cho-lerat-sonarsource david-cho-lerat-sonarsource approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gregaubert @david-cho-lerat-sonarsource