Skip to content

Commit 5d9cb04

Browse files
apetre-ionosapetre-ionos
committed
fix: pin axios to v1.14.0 to mitigate supply chain attack
Axios v1.14.1 and v0.30.4 were compromised in a supply chain attack on March 30-31, 2026. Pin to exact v1.14.0 (last safe version) to prevent resolution to malicious versions. CRITICAL: Previous range ^1.7 included compromised v1.14.1. Ref: https://socket.dev/blog/axios-npm-package-compromised
1 parent c7173c6 commit 5d9cb04

2 files changed

Lines changed: 22 additions & 17 deletions

File tree

package-lock.json

Lines changed: 20 additions & 15 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -67,7 +67,7 @@
6767
"@oclif/plugin-autocomplete": "^3",
6868
"@oclif/plugin-help": "^6",
6969
"@aws-sdk/client-s3": "^3",
70-
"axios": "^1.7",
70+
"axios": "1.14.0",
7171
"chalk": "^4",
7272
"diff": "^8.0.3",
7373
"enquirer": "^2.3.6",
@@ -82,4 +82,4 @@
8282
"minimatch": "10.2.1"
8383
}
8484
}
85-
}
85+
}

0 commit comments

Comments
 (0)