FIX: Pin Axios to Exact Version 1.8.4 to Prevent Supply Chain Attacks#17
Conversation
Removes the semver caret (^) to lock axios at version 1.8.4, preventing automatic upgrades to potentially compromised versions. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
|
| Filename | Overview |
|---|---|
| frontend/package.json | Removed semver caret from axios, pinning it to exact version 1.8.4 to prevent automatic upgrades to potentially compromised releases. |
| frontend/package-lock.json | Root packages[""] block updated to match package.json's exact "1.8.4" constraint; the node_modules/axios resolved entry (line 6007) already pointed to 1.8.4 with a valid integrity hash — no inconsistency. |
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[npm install / npm ci] --> B{Version spec in package.json}
B -->|Before: ^1.3.2| C[npm resolves latest compatible\n1.x.x >= 1.3.2]
C --> D{Registry releases}
D --> E[Could resolve to 1.8.4 ✅]
D --> F[Could resolve to 1.14.1 ☠️\ncontains plain-crypto-js malware]
B -->|After: 1.8.4 exact| G[npm resolves exactly 1.8.4]
G --> H[package-lock.json integrity check\nsha512 verified ✅]
H --> I[axios 1.8.4 installed safely ✅]
Reviews (2): Last reviewed commit: "chore: update package-lock.json after pi..." | Re-trigger Greptile
🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
What
1.8.4by removing the semver caret (^)Why
plain-crypto-js)^1.3.2) allows npm to automatically upgrade to any semver-compatible version, potentially including compromised releasesHow
"axios": "^1.3.2"to"axios": "1.8.4"infrontend/package.jsonCan this PR break any existing features. If yes, please list possible items. If no, please explain why. (PS: Admins do not merge the PR without this section filled)
Database Migrations
Env Config
Relevant Docs
Related Issues or PRs
Dependencies Versions
1.8.4(previously^1.3.2)Notes on Testing
npm installin the frontend directorynpm ls axiosnpm update axiosand verify it does NOT upgrade (stays at 1.8.4)Screenshots
Checklist
I have read and understood the Contribution Guidelines.