Skip to content

[agent] chore(deps): add npm override to pin axios to >=1.15.2#740

Draft
github-actions[bot] wants to merge 1 commit intomainfrom
fix/security-axios-override-436d8ac370a247b1
Draft

[agent] chore(deps): add npm override to pin axios to >=1.15.2#740
github-actions[bot] wants to merge 1 commit intomainfrom
fix/security-axios-override-436d8ac370a247b1

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented May 6, 2026

Summary

Adds an npm overrides entry in the root package.json to force axios to resolve to >=1.15.2, addressing 10 Dependabot security alerts.

Root cause

axios is a transitive dependency pulled in via lerna → nx → axios. The currently installed nx@22.6.5 (and the latest nx@22.7.1) still ships axios@1.15.0, which is affected by multiple CVEs. Since the nx maintainers have not yet published a release with a fixed axios, a manifest-level overrides is the appropriate remedy rather than a direct dependency bump.

Changes

  • package.json: Added "overrides": { "axios": ">=1.15.2" }
  • package-lock.json: Updated — axios now resolves to 1.16.0

Alerts addressed

Alert GHSA CVE Severity
#256 GHSA-445q-vr5w-6q77 CVE-2026-42037 Medium
#255 GHSA-m7pr-hjqh-92cm CVE-2026-42038 Medium
#251 GHSA-pf86-5x62-jrwf CVE-2026-42033 High
#250 GHSA-6chq-wfr3-2hj9 CVE-2026-42035 High
#249 GHSA-xx6v-rp6x-q39c CVE-2026-42042 Medium
#248 GHSA-w9j2-pvgh-6h63 CVE-2026-42041 Medium
#247 GHSA-pmwg-cvhr-8vh7 CVE-2026-42043 High
#246 GHSA-3w6x-2g7m-8v23 CVE-2026-42044 Medium
#245 GHSA-q8qp-cvcw-x6jj CVE-2026-42264 High
#244 GHSA-xhjh-pmcv-23jw CVE-2026-42040 Low

Generated by Dependabot remediation agent · ● 765.3K ·

@github-actions
chore(deps): add npm override to pin axios to >=1.15.2
119ef36 
Adds an npm `overrides` entry to force axios (a transitive dependency
pulled in via lerna → nx) to resolve to >=1.15.2. The latest nx release
(22.7.1) still ships axios 1.15.0 and has not yet published a version
with a fixed axios, so a manifest-level override is the appropriate fix.

Resolves Dependabot alerts: #244, #245, #246, #247, #248, #249, #250, #251, #255, #256

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants