Skip to content

FIX: Pin Axios to Exact Version 1.8.4 to Prevent Supply Chain Attacks#17

Merged
wicky-zipstack merged 2 commits into
mainfrom
fix/pin-axios-version
Apr 2, 2026
Merged

FIX: Pin Axios to Exact Version 1.8.4 to Prevent Supply Chain Attacks#17
wicky-zipstack merged 2 commits into
mainfrom
fix/pin-axios-version

Conversation

@tahierhussain

Copy link
Copy Markdown
Contributor

What

  • Pin axios dependency to exact version 1.8.4 by removing the semver caret (^)

Why

  • Recent reports of a supply chain attack on axios@1.14.1 that introduces a malicious dependency (plain-crypto-js)
  • The caret (^1.3.2) allows npm to automatically upgrade to any semver-compatible version, potentially including compromised releases
  • Pinning to an exact version prevents accidental upgrades to malicious versions

How

  • Changed "axios": "^1.3.2" to "axios": "1.8.4" in frontend/package.json
  • Version 1.8.4 is the currently installed version per the lockfile

Can this PR break any existing features. If yes, please list possible items. If no, please explain why. (PS: Admins do not merge the PR without this section filled)

  • No breaking changes - This is a dependency version pinning change only. The installed version remains 1.8.4 (same as before), we are simply preventing automatic upgrades to newer versions.

Database Migrations

  • None

Env Config

  • None

Relevant Docs

  • N/A

Related Issues or PRs

  • N/A

Dependencies Versions

  • axios: pinned to 1.8.4 (previously ^1.3.2)

Notes on Testing

  • Run npm install in the frontend directory
  • Verify axios@1.8.4 is installed: npm ls axios
  • Run npm update axios and verify it does NOT upgrade (stays at 1.8.4)
  • Run the application and verify HTTP requests work correctly

Screenshots

Checklist

I have read and understood the Contribution Guidelines.

Removes the semver caret (^) to lock axios at version 1.8.4, preventing
automatic upgrades to potentially compromised versions.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@tahierhussain tahierhussain self-assigned this Apr 1, 2026
@tahierhussain tahierhussain added the bug Something isn't working label Apr 1, 2026
@greptile-apps

greptile-apps Bot commented Apr 1, 2026

Copy link
Copy Markdown

Greptile Summary

This PR pins axios from the loose semver range ^1.3.2 to the exact version 1.8.4 in frontend/package.json as a supply-chain security hardening measure, preventing npm from automatically resolving to compromised future releases (e.g., the reported malicious axios@1.14.1).

  • frontend/package.json: caret removed, constraint is now "axios": "1.8.4".
  • frontend/package-lock.json: the root packages[""] block is updated to match ("axios": "1.8.4"), and the node_modules/axios resolved entry was already at 1.8.4 with a valid integrity hash — npm ci will succeed without issues.
  • The previously noted concern about the lockfile being out of sync has been fully addressed in this PR.
  • No functional behaviour changes; the installed version was already 1.8.4 before this change.

Confidence Score: 5/5

This PR is safe to merge — it is a minimal, well-scoped security hardening change with no functional impact.

Both package.json and the lockfile are updated consistently. The node_modules/axios resolved entry already pointed to 1.8.4 with a valid integrity hash, so npm ci will not break. The previously raised lockfile-sync concern is fully resolved in this PR. No logic changes, no API surface affected.

No files require special attention.

Important Files Changed

Filename Overview
frontend/package.json Removed semver caret from axios, pinning it to exact version 1.8.4 to prevent automatic upgrades to potentially compromised releases.
frontend/package-lock.json Root packages[""] block updated to match package.json's exact "1.8.4" constraint; the node_modules/axios resolved entry (line 6007) already pointed to 1.8.4 with a valid integrity hash — no inconsistency.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[npm install / npm ci] --> B{Version spec in package.json}

    B -->|Before: ^1.3.2| C[npm resolves latest compatible\n1.x.x >= 1.3.2]
    C --> D{Registry releases}
    D --> E[Could resolve to 1.8.4 ✅]
    D --> F[Could resolve to 1.14.1 ☠️\ncontains plain-crypto-js malware]

    B -->|After: 1.8.4 exact| G[npm resolves exactly 1.8.4]
    G --> H[package-lock.json integrity check\nsha512 verified ✅]
    H --> I[axios 1.8.4 installed safely ✅]
Loading

Reviews (2): Last reviewed commit: "chore: update package-lock.json after pi..." | Re-trigger Greptile

Comment thread frontend/package.json
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

@wicky-zipstack wicky-zipstack left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@wicky-zipstack wicky-zipstack merged commit ebdd3d7 into main Apr 2, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants