Skip to content

[agent] chore(deps): bump axios to >=1.16.0 via overrides (GHSA-pjwm-pj3p-43mv)#820

Draft
github-actions[bot] wants to merge 1 commit into
mainfrom
fix/axios-ghsa-pjwm-pj3p-43mv-fdebd36d16d80683
Draft

[agent] chore(deps): bump axios to >=1.16.0 via overrides (GHSA-pjwm-pj3p-43mv)#820
github-actions[bot] wants to merge 1 commit into
mainfrom
fix/axios-ghsa-pjwm-pj3p-43mv-fdebd36d16d80683

Conversation

@github-actions

Copy link
Copy Markdown
Contributor

Summary

Resolves Dependabot alert #294: CVE-2026-44492 / GHSA-pjwm-pj3p-43mv (High, CVSS 8.6).

The vulnerability is an incomplete fix for CVE-2025-62718 in axios: shouldBypassProxy does not normalize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass and potential SSRF in cloud environments (e.g., bypassing NO_PROXY=169.254.169.254 via ::ffff:a9fe:a9fe).

Affected range: >= 1.15.0, < 1.16.0. Fixed in 1.16.0.

Changes

  • Added "overrides": { "axios": "^1.16.0" } to root package.json
  • Updated package-lock.jsonaxios is now resolved to 1.18.1

Why overrides?

axios is a transitive dependency pulled in by nx. nx pins axios@1.15.0 in its own dependencies and has not yet released a version that pulls in >=1.16.0. Since there is no direct axios declaration in any workspace package.json to bump, an npm overrides entry is the appropriate mechanism to force the patched version.

Alerts addressed

Generated by Dependabot remediation agent · ● 424K ·

Add npm overrides to force axios to ^1.16.0, resolving the transitive
dependency vulnerability where nx@* depends on axios@1.15.0.

Fixes: CVE-2026-44492 / GHSA-pjwm-pj3p-43mv
Alert: https://github.com/mongodb-js/devtools-shared/security/dependabot/294

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants