From ad3c138927134123b5a1185655e27c67223008b0 Mon Sep 17 00:00:00 2001 From: Ruturaj-Browserstack Date: Mon, 13 Apr 2026 22:56:37 +0530 Subject: [PATCH 1/2] fix: bump axios to ^1.15.0 to patch NO_PROXY SSRF bypass (CVE-2025-62718) Upgrade axios from 1.14.0 to 1.15.0 to remediate GHSA-3p68-rc4w-qgx5, where NO_PROXY hostname normalization could be bypassed via trailing-dot hostnames or IPv6 literals, leading to SSRF. Ref PMAA-94. Co-Authored-By: Claude Opus 4.6 (1M context) --- package-lock.json | 8 ++++---- package.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index 28ef802..dca33b6 100644 --- a/package-lock.json +++ b/package-lock.json @@ -11,7 +11,7 @@ "dependencies": { "@modelcontextprotocol/sdk": "^1.29.0", "@types/form-data": "^2.5.2", - "axios": "^1.14.0", + "axios": "^1.15.0", "browserstack-local": "^1.5.12", "csv-parse": "^6.2.1", "dotenv": "^17.4.0", @@ -1557,9 +1557,9 @@ } }, "node_modules/axios": { - "version": "1.14.0", - "resolved": "https://registry.npmjs.org/axios/-/axios-1.14.0.tgz", - "integrity": "sha512-3Y8yrqLSwjuzpXuZ0oIYZ/XGgLwUIBU3uLvbcpb0pidD9ctpShJd43KSlEEkVQg6DS0G9NKyzOvBfUtDKEyHvQ==", + "version": "1.15.0", + "resolved": "https://registry.npmjs.org/axios/-/axios-1.15.0.tgz", + "integrity": "sha512-wWyJDlAatxk30ZJer+GeCWS209sA42X+N5jU2jy6oHTp7ufw8uzUTVFBX9+wTfAlhiJXGS0Bq7X6efruWjuK9Q==", "license": "MIT", "dependencies": { "follow-redirects": "^1.15.11", diff --git a/package.json b/package.json index 015d2f5..0080c93 100644 --- a/package.json +++ b/package.json @@ -37,7 +37,7 @@ "dependencies": { "@modelcontextprotocol/sdk": "^1.29.0", "@types/form-data": "^2.5.2", - "axios": "^1.14.0", + "axios": "^1.15.0", "browserstack-local": "^1.5.12", "csv-parse": "^6.2.1", "dotenv": "^17.4.0", From 166f50ad7e10e16f79b62b2ccb979de581f8a0a8 Mon Sep 17 00:00:00 2001 From: Ruturaj-Browserstack Date: Mon, 13 Apr 2026 23:01:11 +0530 Subject: [PATCH 2/2] chore: bump version to 1.2.15 in package.json, package-lock.json, and server.json Version bump for the axios 1.15.0 security upgrade (PMAA-94 / CVE-2025-62718). Co-Authored-By: Claude Opus 4.6 (1M context) --- package-lock.json | 4 ++-- package.json | 2 +- server.json | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/package-lock.json b/package-lock.json index dca33b6..fdc4029 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@browserstack/mcp-server", - "version": "1.2.14", + "version": "1.2.15", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@browserstack/mcp-server", - "version": "1.2.14", + "version": "1.2.15", "license": "ISC", "dependencies": { "@modelcontextprotocol/sdk": "^1.29.0", diff --git a/package.json b/package.json index 0080c93..4e8a187 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@browserstack/mcp-server", - "version": "1.2.14", + "version": "1.2.15", "description": "BrowserStack's Official MCP Server", "mcpName": "io.github.browserstack/mcp-server", "main": "dist/index.js", diff --git a/server.json b/server.json index 16eed9e..0747609 100644 --- a/server.json +++ b/server.json @@ -11,7 +11,7 @@ { "registryType": "npm", "identifier": "@browserstack/mcp-server", - "version": "1.2.14", + "version": "1.2.15", "transport": { "type": "stdio" },