chore(SEC-10506): upgrade axios to 0.31.1

[phantom-autopilot]

Summary

• Address GHSA-6chq-wfr3-2hj9 (CVE-2026-42035, HIGH) — Axios: Header Injection via Prototype Pollution.
• The vulnerable axios 0.27.2 was pulled in transitively via wait-on@7.0.1 in pnpm-lock.yaml.
• Added a resolutions entry "axios@<0.31.1": "0.31.1" so any axios version older than the patched 0.31.1 is replaced with 0.31.1. This is read by both yarn and pnpm.
• Regenerated pnpm-lock.yaml with pnpm 9 — wait-on@7.0.1 now resolves axios to 0.31.1 and no 0.27.2 remains.
• yarn.lock already resolved the only direct axios (^1.4.0) to a non-vulnerable 1.x version, so it is unchanged by this PR.
• Added a patch changeset.

Linear

• SEC-10506

Test plan

• yarn install succeeds locally with the new lockfile.
• node -e "require('wait-on')" loads.
• No axios@0.27.2 remains in pnpm-lock.yaml.
• CodeRabbit review on local diff: no findings.
• CI lint/format on this branch — pre-existing helpers.js / plugins/index.js / support/index.js prettier failures already fail on dev and are out of scope per autopilot guidance.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated a transitive dependency to address a reported security vulnerability.

[phantom-autopilot]

PR opened by agent

#38

[coderabbitai]

📝 Walkthrough

Walkthrough

A security vulnerability in axios (GHSA-6chq-wfr3-2hj9) is addressed by upgrading the transitive dependency from 0.27.2 to 0.31.1 and enforcing the new version through a package resolution pin.

Changes

Axios Security Vulnerability Fix

Layer / File(s)	Summary
Dependency Resolution Config package.json	The resolutions section adds a pin forcing all axios versions below 0.31.1 to resolve to 0.31.1.
Release Documentation .changeset/sec-10506-axios-upgrade.md	A Changesets entry documents the patch-level dependency upgrade of @phantom/synpress with a reference to the CVE identifier.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: upgrading axios to 0.31.1 to address a security vulnerability, which aligns with the changeset modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch autopilot2/sec-10506_high-upgrade-axios-in-github-com-phantom-synpress-to-0-31-1

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

package.json (1)

108-117: ⚡ Quick win

Mirror this pin in overrides to cover non-Yarn install paths.

resolutions handles Yarn, but pnpm’s documented transitive override mechanism is overrides. Adding the same selector there reduces regression risk when lockfiles are regenerated outside Yarn.

Ref: https://pnpm.io/settings#overrides

Proposed diff

   "overrides": {
+    "axios@<0.31.1": "0.31.1",
     "lodash@<4.17.20": "4.17.20"
   },

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` around lines 108 - 117, The package.json currently pins
"axios@<0.31.1": "0.31.1" under "resolutions" (Yarn only); mirror that exact
selector/value into the "overrides" section so pnpm and other installers get the
same transitive pin—add "axios@<0.31.1": "0.31.1" to the existing "overrides"
object alongside the "lodash@<4.17.20" entry.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 113: The resolutions entry "axios@<0.31.1": "0.31.1" conflicts with
wait-on@^7.0.1 (which requires axios@^1.6.1) and triggers Yarn 4 YN0078; fix by
editing package.json to either remove the conflicting "axios@<0.31.1" resolution
or replace it with a compatible resolution such as changing the key to match the
semver used by dependent packages (e.g., set axios resolution to a 1.x release
like "axios@^1.6.1": "1.7.7" or simply "axios": "1.7.7"), then run yarn install
to update the lockfile and commit the updated package.json and lockfile;
alternatively, if you prefer not to upgrade axios, downgrade the wait-on
dependency (wait-on@^7.0.1) to a version that accepts axios<0.31.1 and update
lockfile accordingly.

---

Nitpick comments:
In `@package.json`:
- Around line 108-117: The package.json currently pins "axios@<0.31.1": "0.31.1"
under "resolutions" (Yarn only); mirror that exact selector/value into the
"overrides" section so pnpm and other installers get the same transitive pin—add
"axios@<0.31.1": "0.31.1" to the existing "overrides" object alongside the
"lodash@<4.17.20" entry.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c3fc1342-f468-4cdd-806b-fd6a1d9f4fac

📥 Commits

Reviewing files that changed from the base of the PR and between ff82e55 and c0af3a9.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• .changeset/sec-10506-axios-upgrade.md
• package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "1) Inspect lock/manifests for potentially conflicting axios ranges"
rg -n -C2 --iglob 'package.json' --iglob 'yarn.lock' --iglob 'pnpm-lock.yaml' 'wait-on|axios@npm:\^0\.27|axios@\^0\.27|axios@<0\.31\.1|0\.31\.1'

echo
echo "2) Confirm Yarn's PR resolution-mismatch rule (YN0078)"
curl -fsSL https://yarnpkg.com/advanced/error-codes | rg -n 'YN0078|check-resolutions|RESOLUTION_MISMATCH'

Repository: phantom/synpress

Length of output: 16111

---

Remove conflicting axios resolution that will fail Yarn 4 PR installs.

The resolution "axios@<0.31.1": "0.31.1" forces axios to v0.31.1, but wait-on@^7.0.1 declares a dependency on axios@^1.6.1. Yarn 4 CI will reject this mismatch with error YN0078 (RESOLUTION_MISMATCH) when --check-resolutions runs on pull requests.

Either:

1. Update the resolution to use a version matching ^1.6.1 (e.g., 1.7.7), or
2. Downgrade wait-on to a version that supports axios@<0.31.1

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 113, The resolutions entry "axios@<0.31.1": "0.31.1"
conflicts with wait-on@^7.0.1 (which requires axios@^1.6.1) and triggers Yarn 4
YN0078; fix by editing package.json to either remove the conflicting
"axios@<0.31.1" resolution or replace it with a compatible resolution such as
changing the key to match the semver used by dependent packages (e.g., set axios
resolution to a 1.x release like "axios@^1.6.1": "1.7.7" or simply "axios":
"1.7.7"), then run yarn install to update the lockfile and commit the updated
package.json and lockfile; alternatively, if you prefer not to upgrade axios,
downgrade the wait-on dependency (wait-on@^7.0.1) to a version that accepts
axios<0.31.1 and update lockfile accordingly.