Skip to content

Resolve high severity security vulnerabilities (v0.42.3)#178

Merged
bencollen33 merged 3 commits into
masterfrom
vuln-updates
Jun 16, 2026
Merged

Resolve high severity security vulnerabilities (v0.42.3)#178
bencollen33 merged 3 commits into
masterfrom
vuln-updates

Conversation

@bencollen33

Copy link
Copy Markdown
Contributor

Summary

  • Upgrade axios 1.15.2 → 1.18.0 (direct dependency) to fix 3 high severity CVEs: NO_PROXY bypass via IPv4-mapped IPv6 addresses, ReDoS via cookie name injection, and unbounded resource allocation
  • Pin form-data to 4.0.6 via resolutions to fix high severity CRLF injection in multipart field names (transitive via axios)
  • Pin brace-expansion to 1.1.15 via resolutions to fix low severity ReDoS (transitive via eslint/jest → minimatch)
  • Pin ajv to 6.15.0 via resolutions to fix moderate severity ReDoS via $data option (transitive via eslint)
  • Bump package version to 0.42.3

Vulnerability details

Package Before After Severity CVE/Advisory
axios 1.15.2 1.18.0 High NO_PROXY bypass, ReDoS via cookie, resource allocation (patched ≥1.16.0)
form-data 4.0.5 4.0.6 High CRLF injection in multipart field names (patched ≥4.0.6)
brace-expansion 1.1.11 1.1.15 Low ReDoS (patched ≥1.1.12)
ajv 6.12.6 6.15.0 Moderate ReDoS via $data option (patched ≥6.14.0)

All 7 high severity vulnerabilities are resolved. Remaining 66 advisories are low/moderate in dev-only transitive dependencies (jest/eslint tooling).

Test plan

  • yarn install completes successfully
  • yarn test passes (10/10 tests)
  • yarn audit shows 0 high severity vulnerabilities (down from 7)

🤖 Generated with Claude Code

bencollen33 and others added 2 commits May 27, 2026 16:20
- Bump axios from 1.11.0 to 1.15.2 (production dep) to patch 4 CVEs:
  prototype pollution, header injection, NO_PROXY bypass
- Add resolutions for devDep vulnerabilities: @babel/traverse, braces,
  cross-spawn, flatted, json5, marked, minimatch, minimist, picomatch, semver

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…race-expansion, and ajv

- Upgrade axios 1.15.2 → 1.18.0 (fixes 3 high CVEs: NO_PROXY bypass, ReDoS via cookie, resource allocation)
- Pin form-data to 4.0.6 via resolutions (fixes high CVE: CRLF injection in multipart field names)
- Pin brace-expansion to 1.1.15 via resolutions (fixes low CVE: ReDoS)
- Pin ajv to 6.15.0 via resolutions (fixes moderate CVE: ReDoS via $data option)
- Bump package version to 0.42.3

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@bencollen33 bencollen33 requested a review from a team as a code owner June 16, 2026 15:03
Keep v0.42.3, axios 1.18.0, and security resolutions from vuln-updates branch.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sonarqubecloud

Copy link
Copy Markdown

@bencollen33 bencollen33 merged commit ab5a54c into master Jun 16, 2026
2 checks passed
@bencollen33 bencollen33 deleted the vuln-updates branch June 16, 2026 15:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants