Skip to content

fix(security): lock the axios to 1.14.0#1606

Merged
chenjiahan merged 1 commit intomainfrom
fix/axios-1.14.1-security
Mar 31, 2026
Merged

fix(security): lock the axios to 1.14.0#1606
chenjiahan merged 1 commit intomainfrom
fix/axios-1.14.1-security

Conversation

@yifancong
Copy link
Copy Markdown
Contributor

@yifancong yifancong commented Mar 31, 2026
edited
Loading

Summary

fix[security]: lock the axios to 1.14.0

Related Links

close: #1605

Copilot AI review requested due to automatic review settings March 31, 2026 10:53
@yifancong
fix[security]: lock the axios to 1.14.0
c44a18a 
fix[security]: lock the axios to 1.14.0
Copilot AI reviewed Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins axios to a known-good version via pnpm overrides to mitigate the reported “phantom”/malicious axios@1.14.1 resolution risk in dependency installs.

Changes:

  • Add a root pnpm.overrides entry to force axios to 1.14.0.
  • Update pnpm-lock.yaml to include the override and reflect axios resolution to 1.14.0.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 4 comments.

File Description
package.json Adds pnpm.overrides.axios = 1.14.0 to force a safe axios version during installs.
pnpm-lock.yaml Records the override and updates workspace importer entries for axios resolution.
Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@yifancong yifancong force-pushed the fix/axios-1.14.1-security branch from 534f169 to c44a18a Compare March 31, 2026 10:59
@yifancong
Copy link
Copy Markdown
Contributor Author

yifancong commented Mar 31, 2026

TODO: Delete axios and change it to fetch

@yifancong yifancong enabled auto-merge (squash) March 31, 2026 11:05
@chenjiahan chenjiahan changed the title fix[security]: lock the axios to 1.14.0 fix(security): lock the axios to 1.14.0 Mar 31, 2026
@chenjiahan chenjiahan disabled auto-merge March 31, 2026 11:05
@chenjiahan chenjiahan enabled auto-merge (squash) March 31, 2026 11:05
@chenjiahan chenjiahan merged commit ce00f26 into main Mar 31, 2026
6 checks passed
@chenjiahan chenjiahan deleted the fix/axios-1.14.1-security branch March 31, 2026 11:06
@yifancong yifancong mentioned this pull request Apr 1, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@chenjiahan chenjiahan chenjiahan approved these changes

@fi3ework fi3ework fi3ework approved these changes

Assignees

No one assigned

Labels

change: fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: ⚠️ Security: axios@1.14.1 is a malicious phantom version pulled in by @rsdoctor/core@1.5.5

4 participants

@yifancong @chenjiahan @fi3ework