Skip to content

security: pin axios override to <1.14.1 (supply chain fix)#146

Merged
KateZhang98 merged 1 commit into
mainfrom
andriy/eng-13585-pin-axios-to-safe-version-in-agentql-and-tinyfish-cookbook
Mar 31, 2026
Merged

security: pin axios override to <1.14.1 (supply chain fix)#146
KateZhang98 merged 1 commit into
mainfrom
andriy/eng-13585-pin-axios-to-safe-version-in-agentql-and-tinyfish-cookbook

Conversation

@andriy-sudo

Copy link
Copy Markdown
Contributor

Summary

Tightens the axios override in examples/js/package.json from >=1.13.5 to >=1.13.5 <1.14.1 to exclude the compromised version.

  • axios@1.14.1 was published March 30–31, 2026 with a Remote Access Trojan (postinstall hook delivering a RAT that beacons to C2 every 60s)
  • The lockfile is already resolved to 1.13.6 (safe) — no lockfile change needed
  • The new constraint prevents any future npm install from resolving to 1.14.1

Ref: ENG-13585 / ENG-13581

Test plan

  • npm install in examples/js/ resolves axios to a version satisfying >=1.13.5 <1.14.1
  • No axios 1.14.1 appears in the generated lockfile

axios 1.14.1 was found to contain a RAT (supply chain compromise, March 2026).
The previous override `>=1.13.5` could resolve to the compromised version on a
fresh install. Tightening to `>=1.13.5 <1.14.1` ensures the lockfile's current
safe version (1.13.6) is the upper bound until a verified clean 1.14.x is out.

Ref: ENG-13585

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Mar 31, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 08cca6a1-2f26-49cc-a9de-4355b2e68032

📥 Commits

Reviewing files that changed from the base of the PR and between ed1967c and 3bde783.

📒 Files selected for processing (1)
  • examples/js/package.json

📝 Walkthrough

Walkthrough

The npm overrides constraint for the axios dependency in examples/js/package.json was updated. The version range was modified from >=1.13.5 to >=1.13.5 <1.14.1, adding an upper bound that excludes versions 1.14.1 and above. No other dependencies or package configurations were altered.

🚥 Pre-merge checks | ✅ 2
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and accurately summarizes the main change: pinning axios to exclude a compromised version for security reasons.
Description check ✅ Passed The description is directly related to the changeset, explaining the security rationale, impact, and test plan for the axios override constraint update.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch andriy/eng-13585-pin-axios-to-safe-version-in-agentql-and-tinyfish-cookbook

Comment @coderabbitai help to get the list of available commands and usage tips.

@andriy-sudo andriy-sudo requested a review from KateZhang98 March 31, 2026 19:56
@KateZhang98 KateZhang98 merged commit dcf8143 into main Mar 31, 2026
4 checks passed
@KateZhang98 KateZhang98 deleted the andriy/eng-13585-pin-axios-to-safe-version-in-agentql-and-tinyfish-cookbook branch March 31, 2026 20:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants