[Snyk] Security upgrade axios from 0.21.4 to 1.13.5#51
Conversation
…bilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AXIOS-15252993
There was a problem hiding this comment.
Pull request overview
This PR upgrades the client’s axios dependency to remediate a Snyk-reported prototype pollution vulnerability in the frontend dependency tree.
Changes:
- Bump
axiosfrom^0.21.xto^1.13.5inclient/package.json. - Regenerate/update
client/package-lock.jsonto reflect the new axios version and re-resolved transitive dependencies.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
client/package.json |
Updates the declared axios dependency to ^1.13.5. |
client/package-lock.json |
Updates resolved axios version and associated dependency graph (includes broader re-resolve changes). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "node_modules/typescript": { | ||
| "version": "5.9.3", | ||
| "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz", | ||
| "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==", | ||
| "license": "Apache-2.0", | ||
| "peer": true, | ||
| "bin": { | ||
| "tsc": "bin/tsc", | ||
| "tsserver": "bin/tsserver" | ||
| }, | ||
| "engines": { | ||
| "node": ">=14.17" | ||
| } |
There was a problem hiding this comment.
package-lock.json now pulls in typescript@5.9.3 as a peer dependency. This is likely to conflict with react-scripts@4.0.3 (which declares a TypeScript peer range of ^3.2.1 || ^4) and can cause CRA’s TypeScript detection/build to fail or behave unexpectedly. Consider regenerating the lockfile in a way that avoids auto-installing this peer (e.g., matching the previous install mode), or explicitly pin/override TypeScript to a compatible 4.x version if TypeScript must be present.
| "@testing-library/react": "^11.2.6", | ||
| "@testing-library/user-event": "^13.1.5", | ||
| "antd": "^4.15.2", | ||
| "axios": "^0.21.1", | ||
| "axios": "^1.13.5", | ||
| "bizcharts": "^4.1.15", | ||
| "bootstrap": "^5.1.3", |
There was a problem hiding this comment.
The PR description indicates an axios-only security upgrade, but package-lock.json includes broad, unrelated dependency changes (e.g., major bumps to Babel packages, browserslist, rollup, etc.). This increases risk and makes it harder to review/roll back. If possible, regenerate the lockfile to limit changes to axios and its direct transitive dependencies (or document why a full re-resolve is required).
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
client/package.jsonclient/package-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-AXIOS-15252993
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Prototype Pollution