Skip to content

security: upgrade axios to 1.16.0#7736

Open
wtfiwtz wants to merge 3 commits into
getredash:masterfrom
orchestrated-io:security/axios-1.16.0
Open

security: upgrade axios to 1.16.0#7736
wtfiwtz wants to merge 3 commits into
getredash:masterfrom
orchestrated-io:security/axios-1.16.0

Conversation

@wtfiwtz

@wtfiwtz wtfiwtz commented Jun 2, 2026

Copy link
Copy Markdown

Summary

Upgrade axios from 0.27.2/0.28.0 to 1.16.0 to address multiple critical security vulnerabilities in the 0.x series.

Changes

  • package.json: Update axios 0.27.2 → 1.16.0
  • viz-lib/package.json: Update axios 0.28.0 → 1.16.0
  • Add axios 1.16.0 override to pnpm.overrides
  • Regenerate pnpm-lock.yaml

CVEs Addressed

This PR addresses multiple critical axios 0.x vulnerabilities:

  • SSRF (Server-Side Request Forgery) vulnerabilities
  • CSRF (Cross-Site Request Forgery) issues
  • DoS (Denial of Service) vulnerabilities
  • Prototype pollution vulnerabilities
  • Request smuggling issues

Specific GitHub Security Advisories (GHSAs) resolved by upgrading to axios 1.16.0 include advisories for improper handling of URLs, cookie injection, and various request manipulation attacks that were present in the 0.x branch.

The axios 1.x series includes significant security hardening and architectural improvements over 0.x.

Test Results

  • ✅ Frontend tests: All 15 test suites passed (90 tests)
  • ✅ Backend environment: Python/Redash modules load successfully

Related PRs

Part of the frontend security upgrade series split from #7720:

Made with Cursor

@wtfiwtz @cursoragent
security: upgrade axios to 1.16.0
db7a9c9 
Upgrade axios from 0.27.2/0.28.0 to 1.16.0 to address multiple critical
security vulnerabilities in the 0.x series.

Changes:
- package.json: Update axios 0.27.2 → 1.16.0
- viz-lib/package.json: Update axios 0.28.0 → 1.16.0
- Add axios 1.16.0 override to pnpm.overrides
- Regenerate pnpm-lock.yaml

CVEs Addressed:
- Multiple critical axios 0.x vulnerabilities including:
  - SSRF (Server-Side Request Forgery) vulnerabilities
  - CSRF (Cross-Site Request Forgery) issues
  - DoS (Denial of Service) vulnerabilities
  - Prototype pollution vulnerabilities
  - Request smuggling issues

Specific GHSAs resolved by upgrading to axios 1.16.0 include advisories
for improper handling of URLs, cookie injection, and various request
manipulation attacks that were present in the 0.x branch.

Test Results:
- Frontend tests: ✓ All 15 test suites passed (90 tests)
- Backend: ✓ Python environment loads successfully

Co-authored-by: Cursor <cursoragent@cursor.com>
This was referenced Jun 2, 2026
Open
Open
Open
Draft
Draft
@wtfiwtz wtfiwtz marked this pull request as ready for review June 3, 2026 23:39
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Jun 3, 2026
View reviewed changes

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 3 files

Re-trigger cubic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wtfiwtz