Update README baseline version and package versions

[hhftechnology]

Summary by CodeRabbit

• Documentation

  • Updated the stable release baseline version to reflect current status.
  • Streamlined mobile app download links in the documentation.

• Chores

  • Updated axios dependency to the latest compatible version.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
crowdsec-manager-docs	Ready	Preview, Comment	Apr 10, 2026 2:10pm

[coderabbitai]

📝 Walkthrough

Walkthrough

Minor maintenance release with documentation and dependency updates. The project version is bumped from 2.3.0 to 2.3.1, the axios dependency is updated to version 1.7.9, and the README baseline version is updated to reflect the current 2.3.0 release alongside mobile app links consolidation.

Changes

Cohort / File(s)	Summary
Documentation README.md	Updated "Current baseline" version to 2.3.0 and consolidated mobile app download links section to a centered block containing Apple App Store and Google Play badges, removing F-Droid and iOS messaging.
Package Configuration web/package.json	Bumped project version from 2.3.0 to 2.3.1 and updated axios dependency from ^1.7.2 to ^1.7.9.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• Pangolin #70: Updates web/package.json version field in the same release line, with PR #70 advancing from 2.1.0 to 2.3.0 and this PR from 2.3.0 to 2.3.1.

Poem

🐰 A minor version hop, so light and neat,
Axios climbs higher, dependencies complete,
Two-point-three-one, our apps run swift,
With badges aligned—a maintenance gift! 🌟

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title accurately summarizes the main changes: updating README baseline version from 2.0.0 to 2.3.0 and bumping package versions in web/package.json (version and axios dependency).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch pangolin

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates the project version to 2.3.1 and introduces mobile app download links in the README. However, the reviewer identified critical security issues in the lockfiles, specifically the inclusion of non-existent versions for axios (1.15.0) and next (16.2.3). Additionally, the README baseline version is inconsistent with the package version, and the Apple App Store link is currently a placeholder.

[gemini-code-assist]

The axios version 1.15.0 specified here does not exist on the public NPM registry and contradicts the ^1.7.9 requirement in package.json. This is highly suspicious and suggests a potential supply chain attack or a severely corrupted lockfile. This must be investigated and corrected immediately.

[gemini-code-assist]

The version of next is set to 16.2.3. This version does not exist on the public NPM registry (Next.js is currently at version 15). Using non-existent or spoofed versions in a lockfile is a significant security risk and will cause build failures.

[gemini-code-assist]

The baseline version is updated to 2.3.0, but web/package.json specifies version 2.3.1. These should be synchronized to avoid confusion about the current release version.

[gemini-code-assist]

The Apple App Store link is currently a placeholder (#). Please replace it with the valid URL for the application.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@README.md`:
- Around line 22-24: The App Store anchor tag with
href="https://apps.apple.com/us/app/#" (the App Store badge image alt
"appstore") contains a placeholder and should be replaced with the real App
Store URL (e.g. https://apps.apple.com/us/app/<app-name>/id<APP_ID>) or, if the
iOS app is not published yet, remove the entire App Store anchor/img element to
avoid a broken link; update the href attribute on the anchor that wraps the
appstore image accordingly.

In `@web/package.json`:
- Line 32: The package.json dependency "axios" is pinned to "^1.7.9" which is
vulnerable; update the version string for the "axios" dependency to at least
">=1.8.2" (preferably ">=1.12.0" to cover all known CVEs) in package.json, then
regenerate the lockfile (run npm/yarn install) so package-lock.json or yarn.lock
is updated and run the test suite or a safety scan to confirm nothing breaks;
locate the "axios" entry in package.json to apply the change and commit the
updated lockfile.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 49a72ec6-89cc-4ce6-be2c-ca5a32acb6a9

📥 Commits

Reviewing files that changed from the base of the PR and between 36db174 and ac7f053.

⛔ Files ignored due to path filters (2)

• docs/package-lock.json is excluded by !**/package-lock.json
• web/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• README.md
• web/package.json

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build-and-push
• GitHub Check: Analyze (go)

🔇 Additional comments (2)

web/package.json (1)

3-3: LGTM!

The version bump from 2.3.0 to 2.3.1 follows semantic versioning conventions for a patch release.

README.md (1)

17-17: LGTM!

The baseline version update from 2.0.0 to 2.3.0 correctly reflects the current release state and aligns with the version progression in web/package.json.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Fix the placeholder Apple App Store link.

The Apple App Store URL contains a placeholder (#) and will not work for users trying to download the iOS app. This creates a broken user experience for iOS users.

🔗 Proposed fix

Please replace the placeholder # with the actual App Store app ID:

-<a href="https://apps.apple.com/us/app/#"><img width="135" height="39" alt="appstore" src="https://github.com/user-attachments/assets/45e31a11-cf6b-40a2-a083-6dc8d1f01291" /></a>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="https://play.google.com/store/apps/details?id=com.crowdsec.manager.mobile"><img width="135" height="39" alt="googleplay" src="https://github.com/user-attachments/assets/acbba639-858f-4c74-85c7-92a4096efbf5" /></a>
+<a href="https://apps.apple.com/us/app/YOUR_APP_ID"><img width="135" height="39" alt="appstore" src="https://github.com/user-attachments/assets/45e31a11-cf6b-40a2-a083-6dc8d1f01291" /></a>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="https://play.google.com/store/apps/details?id=com.crowdsec.manager.mobile"><img width="135" height="39" alt="googleplay" src="https://github.com/user-attachments/assets/acbba639-858f-4c74-85c7-92a4096efbf5" /></a>

Alternatively, if the iOS app is not yet available, consider removing the App Store badge until the app is published.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` around lines 22 - 24, The App Store anchor tag with
href="https://apps.apple.com/us/app/#" (the App Store badge image alt
"appstore") contains a placeholder and should be replaced with the real App
Store URL (e.g. https://apps.apple.com/us/app/<app-name>/id<APP_ID>) or, if the
iOS app is not published yet, remove the entire App Store anchor/img element to
avoid a broken link; update the href attribute on the anchor that wraps the
appstore image accordingly.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check axios version 1.7.9 validity and security advisories

# Check if axios 1.7.9 exists on npm
echo "=== Checking axios version 1.7.9 on npm ==="
curl -s https://registry.npmjs.org/axios | jq -r '.versions | keys[] | select(. == "1.7.9")'

# Check for security advisories affecting axios 1.7.2 to 1.7.9
echo -e "\n=== Checking for security advisories ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: NPM, package: "axios") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: hhftechnology/crowdsec_manager

Length of output: 326

---

🌐 Web query:

axios 1.7.2 1.7.9 security vulnerabilities CVE

💡 Result:

Web search failed: Server error: no LLM provider could handle the message

---

🌐 Web query:

axios npm security advisories 2024 2025

💡 Result:

Axios (npm) security advisories in 2024–2025

2024

• CVE-2024-39338 / GHSA-8hc4-vh64-cxmj — Server-Side Request Forgery (SSRF) in axios >=1.3.2, <=1.7.3; patched in 1.7.4 (published Aug 12, 2024). [1]

2025

• CVE-2025-27152 / GHSA-jr5f-v2jv-69x6 — Possible SSRF + credential leakage when absolute URLs can override baseURL; affected >=1.0.0,<1.8.2 and <0.30.0; patched in 1.8.2 and 0.30.0 (published Mar 7, 2025). [2]
• CVE-2025-58754 / GHSA-4hjh-wcwx-xvwj — DoS via decoding large data: URLs without size checks; affected >=1.0.0,<1.12.0 and >=0.28.0,<0.30.2; patched in 1.12.0 and 0.30.2 (published Sep 11, 2025). [3]
• GHSA-rm8p-cx58-hcvx (Withdrawn; relates to form-data) — Advisory about a transitive issue in form-data@4.0.0 pulled by axios 1.10.0 (references CVE-2025-7783), withdrawn Jul 24, 2025 because users could remediate by upgrading form-data without upgrading axios. [4]

Sources: GitHub Advisory Database entries above. [1][2][3][4]

---

Upgrade axios to 1.8.2 or later to address known security vulnerabilities.

Version 1.7.9 exists but is affected by two unpatched CVEs:

• CVE-2025-27152 (SSRF + credential leakage): Requires upgrade to ≥1.8.2
• CVE-2025-58754 (DoS via data: URLs): Requires upgrade to ≥1.12.0

The update from 1.7.2 to 1.7.9 fixes CVE-2024-39338 but leaves these vulnerabilities unaddressed. Consider upgrading to 1.8.2 at minimum, or 1.12.0 to resolve all known issues in the 1.x line.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@web/package.json` at line 32, The package.json dependency "axios" is pinned
to "^1.7.9" which is vulnerable; update the version string for the "axios"
dependency to at least ">=1.8.2" (preferably ">=1.12.0" to cover all known CVEs)
in package.json, then regenerate the lockfile (run npm/yarn install) so
package-lock.json or yarn.lock is updated and run the test suite or a safety
scan to confirm nothing breaks; locate the "axios" entry in package.json to
apply the change and commit the updated lockfile.