Skip to content

fix(deps): bump axios to ~1.16.1 to address high-severity advisories#194

Merged
pchuri merged 1 commit into
mainfrom
fix/bump-axios-security
May 30, 2026
Merged

fix(deps): bump axios to ~1.16.1 to address high-severity advisories#194
pchuri merged 1 commit into
mainfrom
fix/bump-axios-security

Conversation

@pchuri
Copy link
Copy Markdown
Owner

@pchuri pchuri commented May 30, 2026

Summary

Bumps axios from ~1.15.2 to ~1.16.1 to resolve four newly disclosed high-severity advisories that started failing CI's security job on main after #193 was merged.

Why now

CI's npm audit --audit-level moderate --omit=dev began failing on the post-merge main run because GHSA disclosures for axios <= 1.15.2 landed between the PR build and the merge build. Because the publish and update-homebrew jobs depend on [test, security], the release pipeline is currently blocked.

This PR is intentionally minimal and independent of #193 — that PR only touched lib/html-to-storage.js and its tests, not dependencies.

Advisories resolved

GHSA Severity Issue
GHSA-pjwm-pj3p-43mv high NO_PROXY bypass via IPv4-mapped IPv6 addresses (incomplete fix for CVE-2025-62718)
GHSA-898c-q2cr-xwhg high DoS and header injection via prototype pollution in axios merge functions
GHSA-654m-c8p4-x5fp high Proxy-Authorization header injection via prototype pollution (incomplete null-prototype fix)
GHSA-35jp-ww65-95wh high Full MITM via prototype pollution gadget in config.proxy

Range choice

~1.16.1 (tilde, patch-only) preserves the existing pinning policy. Not bumping to ^1.16.1 to avoid widening the constraint.

Test plan

  • npm audit --audit-level moderate --omit=dev0 vulnerabilities
  • npm test → 724/724 passing
  • axios-mock-adapter@2.1.0 deduped on axios@1.16.1 (no duplicate trees)
  • CI security job goes green on this PR
  • After merge, publish and update-homebrew resume on main

@pchuri
fix(deps): bump axios to ~1.16.1 to address high-severity advisories
2a6b232 
Resolves four high-severity advisories affecting axios <= 1.15.2:

- GHSA-pjwm-pj3p-43mv: NO_PROXY bypass via IPv4-mapped IPv6 addresses
  (incomplete fix for CVE-2025-62718)
- GHSA-898c-q2cr-xwhg: DoS and header injection via prototype pollution
  in axios merge functions
- GHSA-654m-c8p4-x5fp: Proxy-Authorization header injection via
  prototype pollution (incomplete null-prototype fix)
- GHSA-35jp-ww65-95wh: Full MITM via prototype pollution gadget in
  config.proxy

CI's `npm audit --audit-level moderate --omit=dev` started failing on
main after these advisories were disclosed, blocking publish and
update-homebrew jobs. The tilde range is preserved (~1.16.1) to keep
the existing patch-only pinning policy.

Verified locally:
- npm audit --audit-level moderate --omit=dev: 0 vulnerabilities
- npm test: 724/724 passing (axios-mock-adapter@2.1.0 deduped on 1.16.1)
@pchuri pchuri self-assigned this May 30, 2026
@pchuri pchuri merged commit 2be46b2 into main May 30, 2026
6 checks passed
github-actions Bot pushed a commit that referenced this pull request May 30, 2026
@semantic-release-bot
chore(release): 2.11.0 [skip ci]
2289199 
# [2.11.0](v2.10.0...v2.11.0) (2026-05-30)

### Bug Fixes

* **deps:** bump axios to ~1.16.1 to address high-severity advisories ([#194](#194)) ([2be46b2](2be46b2))

### Features

* convert markdown plantuml fences to confluence plantuml macro ([#193](#193)) ([c88f9dd](c88f9dd))
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 30, 2026

🎉 This PR is included in version 2.11.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@pchuri pchuri

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pchuri