fix(deps): remediate axios advisories via override to ^1.18.1#248
fix(deps): remediate axios advisories via override to ^1.18.1#248Isaac-kps wants to merge 1 commit into
Conversation
axios was pulled in transitively at vulnerable versions (the hoisted axios@0.27.2 via @govtechsg/address-identity-resolver, plus 1.x copies < 1.16.0 via tt-verify/dnsprove), triggering a large set of high-severity GHSA advisories. npm audit reported fixAvailable:false because every copy is transitive, so the remediation is an override. - Override axios to ^1.18.1 (clears all axios advisories). - Override axios-extensions to ^4.0.0: v3.1.6 deep-imports axios/lib/helpers/buildURL, blocked by axios 1.x's exports field. v4 drops the deep import and exposes the identical API. - Add util ^0.12.5 to devDependencies: axios-extensions@3 transitively provided the `util` polyfill that @tradetrust-tt/tt-verify's ESM build relies on; v4 dropped that dependency, so declare it explicitly to keep the Docusaurus webpack build resolving (tradetrust-website already declares util for the same reason). Verified: docusaurus production build succeeds; npm audit no longer flags axios. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Warning Review limit reached
More reviews will be available in 59 minutes and 49 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary
axios was present only transitively at vulnerable versions — the hoisted
axios@0.27.2(via@govtechsg/tradetrust-ui-components→@govtechsg/address-identity-resolver/axios-extensions), plus 1.x copies< 1.16.0(via@tradetrust-tt/tt-verifyanddnsprove). These trigger a large set of high-severity GHSA advisories: SSRF, prototype-pollution gadgets, proxy-auth credential leakage, ReDoS, and DoS.Because every axios copy is transitive,
npm auditreportsfixAvailable: false— the only remediation is apackage.jsonoverridesentry.Changes
axios→^1.18.1(override). Clears every axios advisory; safe floor per the advisory ranges is>= 1.16.0.axios-extensions→^4.0.0(override).v3.1.6deep-importsaxios/lib/helpers/buildURL, blocked by axios 1.x'sexportsfield.v4drops the deep import and exposes the identical API.util→^0.12.5(devDependency).axios-extensions@3transitively provided theutilpolyfill that@tradetrust-tt/tt-verify's ESM build relies on under webpack;v4dropped that dependency, so it is declared explicitly to keep the Docusaurus build resolving. (tradetrust-websitealready declaresutilfor the same reason.)After the fix, every nested axios collapses to a single
axios@1.18.1andnpm auditno longer flags axios.Verification
npm run build(Docusaurus production build) — ✅[SUCCESS] Generated static filesnpm audit— axios no longer listedmasterbuild to isolate theutilregression introduced by theaxios-extensionsmajor bump (the lonerdf-canonize-nativewarning is pre-existing and benign).🤖 Generated with Claude Code