[Snyk] Security upgrade axios from 0.24.0 to 1.13.5#114
[Snyk] Security upgrade axios from 0.24.0 to 1.13.5#114TimCrooker wants to merge 1 commit intomasterfrom
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AXIOS-15252993
There was a problem hiding this comment.
Pull request overview
This PR attempts to upgrade axios from version 0.24.0 to 1.13.5 to fix a high-severity prototype pollution vulnerability (SNYK-JS-AXIOS-15252993) in the gritenv package. However, the PR has several critical issues that prevent it from successfully addressing the security vulnerability.
Changes:
- Updates axios dependency from ^0.24.0 to ^1.13.5 in packages/env/package.json
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| }, | ||
| "dependencies": { | ||
| "axios": "^0.24.0", | ||
| "axios": "^1.13.5", |
There was a problem hiding this comment.
This security upgrade is incomplete. The monorepo has multiple packages that depend on axios 0.24.0, including packages/cli and packages/youtill. Both of these packages need to be upgraded to the same axios version to fix the security vulnerability consistently across the codebase. Additionally, packages/cli depends on gritenv (this package), which will create a dependency conflict: cli will require both axios@^0.24.0 (its direct dependency) and axios@^1.13.5 (via gritenv). All packages using axios should be upgraded together in this PR.
| "axios": "^1.13.5", | |
| "axios": "^0.24.0", |
| }, | ||
| "dependencies": { | ||
| "axios": "^0.24.0", | ||
| "axios": "^1.13.5", |
There was a problem hiding this comment.
The PR description indicates that the yarn.lock file was not updated successfully. This means the lockfile still references axios 0.24.0, and the security vulnerability will not actually be fixed until the lockfile is updated. The yarn.lock must be successfully updated and included in this PR for the security fix to take effect. Run 'yarn install' to update the lockfile before merging.
Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
packages/env/package.jsonNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-AXIOS-15252993
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Prototype Pollution