Fix axios version in package.json

[elmejdki]

Due to the latest vulnerability attack on Axios, we have decided to pin the current axios version on all projects to avoid potential issues in the future.

Summary by CodeRabbit

• Chores
  • Pinned a core dependency to a specific version for improved stability and consistency.

[coderabbitai]

📝 Walkthrough

Walkthrough

The axios dependency version in package.json was changed from a caret range specifier (^0.16.2) to an exact version pinning (0.16.2), restricting the dependency resolver to that specific release instead of allowing minor and patch updates.

Changes

Cohort / File(s)	Summary
Dependency Pinning package.json	Changed axios dependency from caret range (^0.16.2) to exact version (0.16.2), removing flexibility for automatic minor and patch version updates.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A carrot's claim was set in stone,
No wiggle room, no uncertain tone,
Version locked with precision tight,
The bunny ensures axios just right! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Fix axios version in package.json' directly and clearly summarizes the main change: pinning the axios dependency to an exact version in package.json to address a vulnerability.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch elmejdki-patch-1

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Line 80: The package.json pins "axios" to the vulnerable 0.16.2 release;
update the "axios" dependency value to a secure version (preferably "1.14.0", or
at minimum "0.30.3") in package.json, then regenerate the lockfile (npm install
/ yarn install) and run tests/CI to ensure nothing breaks; ensure any code using
axios is compatible with the new major version (check for breaking changes if
moving to 1.x) and update import/usage sites if necessary.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cdeb36ac-3b52-4e9a-8d45-e35277d6010f

📥 Commits

Reviewing files that changed from the base of the PR and between 7975567 and 0db0b32.

📒 Files selected for processing (1)

• package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What is the latest Axios release on npm, and what are the minimum fixed Axios versions for all active GitHub/npm security advisories?

💡 Result:

The latest Axios release on npm is 1.14.0, published around March 27, 2026. Note that versions 1.14.1 and 0.30.4 were maliciously published but have been removed by npm. Active GitHub security advisories (as of 2026-04-01) and their minimum fixed versions: - GHSA-43fc-jf86-j433 (DoS via proto in mergeConfig, CVE-2026-25639): Fixed in 1.13.5 and 0.30.3 - GHSA-4hjh-wcwx-xvwj (DoS via data: URL decode, CVE-2025-58754): Fixed version not explicitly stated in snippets, but post-Sep 2025 releases like 1.13.x+ are safe. - GHSA-rm8p-cx58-hcvx (Transitive form-data vuln, CVE-2025-7783): Affected 1.10.0, fixed in 1.11.0 - GHSA-jr5f-v2jv-69x6 (SSRF/Credential Leakage): Fixed version not explicitly stated, but post-Mar 2025 releases safe. For all active advisories, upgrade to at least 1.14.0 (latest) or 0.30.3 for 0.x branch users. Both 0.x and 1.x are supported per SECURITY.md.

Citations:

• 1: https://www.npmjs.com/package/axios
• 2: https://www.npmjs.com/package/axios?activeTab=versions
• 3: https://github.com/axios/axios/security/advisories
• 4: https://github.com/axios/axios/releases/tag/v1.14.0
• 5: https://github.com/axios/axios/security
• 6: GHSA-rm8p-cx58-hcvx
• 7: https://github.com/advisories/GHSA-43fc-jf86-j433/dependabot
• 8: https://cveinfo.com/detail.php?id=CVE-2026-25639

---

Pinned version at Line 80 keeps Axios on an outdated, critically vulnerable release line.

This change locks axios to 0.16.2, which is extremely old and contains multiple unpatched CVEs including:

• GHSA-43fc-jf86-j433 (DoS via proto in mergeConfig, CVE-2026-25639)
• GHSA-4hjh-wcwx-xvwj (DoS via data: URL decode, CVE-2025-58754)
• GHSA-rm8p-cx58-hcvx (Transitive form-data vulnerability, CVE-2025-7783)
• GHSA-jr5f-v2jv-69x6 (SSRF/Credential Leakage)

This does not satisfy the PR's security objective. Upgrade to at least 0.30.3 for the 0.x branch, or preferably to 1.14.0 (latest).

Suggested change

-    "axios": "0.16.2",
+    "axios": "1.14.0",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 80, The package.json pins "axios" to the vulnerable
0.16.2 release; update the "axios" dependency value to a secure version
(preferably "1.14.0", or at minimum "0.30.3") in package.json, then regenerate
the lockfile (npm install / yarn install) and run tests/CI to ensure nothing
breaks; ensure any code using axios is compatible with the new major version
(check for breaking changes if moving to 1.x) and update import/usage sites if
necessary.

[tkidd77]

Instead of a static pin, trail latest by 7 days as this release is very old