From 3bde7836b8bc9e0c46348f67d65d9e69484a0ee4 Mon Sep 17 00:00:00 2001 From: Andriy Lysyuk Date: Tue, 31 Mar 2026 21:48:43 +0200 Subject: [PATCH] security: pin axios override to <1.14.1 to exclude compromised version axios 1.14.1 was found to contain a RAT (supply chain compromise, March 2026). The previous override `>=1.13.5` could resolve to the compromised version on a fresh install. Tightening to `>=1.13.5 <1.14.1` ensures the lockfile's current safe version (1.13.6) is the upper bound until a verified clean 1.14.x is out. Ref: ENG-13585 Co-Authored-By: Claude Sonnet 4.6 --- examples/js/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/js/package.json b/examples/js/package.json index db868a48..02e24331 100644 --- a/examples/js/package.json +++ b/examples/js/package.json @@ -24,7 +24,7 @@ "playwright-dompath": "^0.0.7" }, "overrides": { - "axios": ">=1.13.5", + "axios": ">=1.13.5 <1.14.1", "flatted": "^3.4.2", "minimatch": "^3.1.3" }