Skip to content

fix(EGV-207): upgrade axios ^1.8.4 -> ^1.18.1#824

Merged
diegomayorga-dept merged 2 commits into
developmentfrom
fix/security-ticket2-axios-upgrade-wt
Jul 6, 2026
Merged

fix(EGV-207): upgrade axios ^1.8.4 -> ^1.18.1#824
diegomayorga-dept merged 2 commits into
developmentfrom
fix/security-ticket2-axios-upgrade-wt

Conversation

@diegomayorga-dept

@diegomayorga-dept diegomayorga-dept commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Title

fix(security): upgrade axios ^1.8.4 → ^1.18.1

Type of Change

  • New feature
  • Bug fix
  • Documentation update
  • Refactoring
  • Hotfix
  • Security patch
  • UI/UX improvement

Description

Pins axios to ^1.18.1 in the front-end package to clear 25 Dependabot advisories covering: prototype pollution, ReDoS, credential leak, SSRF, XSRF token leakage, CRLF injection, and DoS variants.

The version is controlled from .projenrc.ts — the bare 'axios' dep specifier in the front-end subproject was replaced with 'axios@^1.18.1'. No application code was modified; axios 1.x is fully backwards-compatible within the major.

Testing

  • Front-end test suite: 43/43 tests pass after the upgrade.
  • pnpm install --no-frozen-lockfile completed without errors after projen regeneration.

Impact

  • axios 1.x is backwards-compatible — no changes to API call signatures, interceptors, or error handling required.
  • Only packages/front-end/package.json and pnpm-lock.yaml are affected; back-end and shared-lib are untouched.

Additional Information

This is part of a multi-PR Dependabot remediation effort. PR #816 shipped transitive overrides for the first batch; a separate PR (PR3) adds pnpm overrides for ~31 additional transitive packages. This PR targets the axios direct dependency upgrade only.

Checklist

  • No new errors or warnings have been introduced.
  • All tests pass successfully and new tests added as necessary.
  • Documentation has been updated accordingly.
  • Code adheres to the coding and style guidelines of the project.
  • Code has been commented in particularly hard-to-understand areas.

Clears 25 advisories: prototype pollution, ReDoS, credential leak,
SSRF, XSRF token leakage, CRLF injection, and DoS variants.
@diegomayorga-dept diegomayorga-dept changed the title fix(security): upgrade axios ^1.8.4 -> ^1.18.1 fix(EGV-207): upgrade axios ^1.8.4 -> ^1.18.1 Jul 1, 2026
@diegomayorga-dept diegomayorga-dept merged commit afa9220 into development Jul 6, 2026
2 checks passed
@diegomayorga-dept diegomayorga-dept deleted the fix/security-ticket2-axios-upgrade-wt branch July 6, 2026 18:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants