Skip to content

fix(deps): bump axios to ^1.16.0 for CVE-2026-44494#201

Open
JMPerez wants to merge 1 commit into
masterfrom
fix/axios-cve-2026-44494
Open

fix(deps): bump axios to ^1.16.0 for CVE-2026-44494#201
JMPerez wants to merge 1 commit into
masterfrom
fix/axios-cve-2026-44494

Conversation

@JMPerez

@JMPerez JMPerez commented Jun 12, 2026

Copy link
Copy Markdown
Owner

Why

GitHub security alert: CVE-2026-44494 — high severity, axios ≥1.0.0 <1.16.0 vulnerable to full man-in-the-middle via a prototype pollution gadget in config.proxy. This repo had axios ^1.7.7.

What

  • axios ^1.7.7^1.16.0 in package.json; lockfile resolves to 1.17.0. The lockfile diff is solely axios's transitive dependency graph (follow-redirects, form-data, proxy-from-env, …); lockfile kept in v6 format (pnpm 8).
  • axios is used in exactly one place: app/api/bmc/route.ts (server-side axios.get), unaffected by the API surface between 1.7 and 1.17.

Verification

pnpm install + pnpm test: 6 suites, 39 tests, all passing.

🤖 Generated with Claude Code

@JMPerez @claude
fix(deps): bump axios to ^1.16.0 for CVE-2026-44494
b87e96e 
High-severity advisory: axios <1.16.0 is vulnerable to full
man-in-the-middle via a prototype pollution gadget in config.proxy.
Resolves to 1.17.0. axios is used in one server-side route
(app/api/bmc/route.ts); all 39 tests pass.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JMPerez