fix: bump npm deps to resolve Dependabot advisories#9191
Conversation
Resolve 8 open Dependabot alerts (all npm, in pnpm-lock.yaml) by bumping the affected packages in pnpm-workspace.yaml and regenerating the lockfile: - axios 1.15.2 -> 1.16.0 (catalog): CVE-2026-44494/44492/44490/44489 - tmp -> 0.2.6 (override): CVE-2026-44705 path traversal - ws 8.x -> 8.20.1 (catalog + scoped override): CVE-2026-45736 - qs 6.14.2 -> 6.15.2 (override): CVE-2026-8723 DoS - brace-expansion 5.0.5 -> 5.0.6 (override): CVE-2026-45149 DoS brace-expansion and qs were pinned to their vulnerable versions in the overrides block, so the pins had to be bumped directly. ws is scoped to the 8.x major (ws@7.5.10 is below the vulnerable >=8.0.0 floor). All bumps are semver-compatible patch/minor upgrades; no source changes required.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✅ Files skipped from review due to trivial changes (1)
📝 WalkthroughWalkthroughThis PR bumps workspace dependency pins (axios, ws) and overrides (brace-expansion, qs, tmp, ws@8), and changes three APIService files to import axios via the named create export and instantiate axios with create({...}). ChangesWorkspace Dependency Updates
APIService axios create refactor
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR resolves 8 Dependabot npm security alerts by updating dependency versions in the workspace catalog/overrides and regenerating pnpm-lock.yaml so the patched versions are enforced across the monorepo.
Changes:
- Bumped
axiosto1.16.0via the workspace catalog (and lockfile). - Updated
brace-expansionto5.0.6andqsto6.15.2viaoverridesto remove vulnerable pins. - Added
tmp@0.2.6and constrainedws@8to8.20.1viaoverrides, while keepingws@7.5.10present.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| pnpm-workspace.yaml | Updates catalog/overrides to force patched versions of flagged dependencies. |
| pnpm-lock.yaml | Regenerates lockfile to reflect the updated catalog/overrides and eliminate vulnerable resolutions. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
pnpm-workspace.yaml (1)
202-202: CVE fixes in pnpm-workspace.yaml overrides are aligned with the targeted package versions (brace-expansion@5.0.6, qs@6.15.2, tmp@0.2.6)
brace-expansion5.0.6 fixes CVE-2026-45149 (DoS from improper handling ofmax; affected 5.0.0–5.0.5).qs6.15.2 fixes CVE-2026-8723 (crash/DoS path instringifyforcomma+encodeValuesOnly: true; fix released in 6.15.2).tmp0.2.6 fixes CVE-2026-44705 (path traversal from unsanitizedprefix/postfix/dir).- Latest stable
tmpis 0.2.7; consider bumping from 0.2.6 if you want the newest release (the CVE is already fixed in 0.2.6).🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@pnpm-workspace.yaml` at line 202, Update the pnpm workspace overrides to pin the vulnerable packages to the fixed versions: set brace-expansion to 5.0.6, qs to 6.15.2, and tmp to at least 0.2.6 (preferably 0.2.7); modify the override entries named "brace-expansion", "qs", and "tmp" in the pnpm-workspace.yaml to those versions so the CVE fixes are applied (optionally bump tmp to 0.2.7 for the latest stable release).
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@pnpm-workspace.yaml`:
- Line 98: The CVE mapping for axios@1.16.0 is incorrect: only CVE-2026-44494
and CVE-2026-44492 are supported as fixed in 1.16.0, while CVE-2026-44490 and
CVE-2026-44489 are not backed by sources for 1.16.0—either update the PR’s
CVE-to-version mapping/justification to remove those two CVEs for "axios:
1.16.0" or bump axios to the latest stable (1.16.1) and document that bump; also
verify that "ws: 8.20.1" remains listed with CVE-2026-45736 noted as fixed.
Ensure the change references the exact entries "axios: 1.16.0" and "ws: 8.20.1"
in the workspace manifest so reviewers can validate the updates.
---
Nitpick comments:
In `@pnpm-workspace.yaml`:
- Line 202: Update the pnpm workspace overrides to pin the vulnerable packages
to the fixed versions: set brace-expansion to 5.0.6, qs to 6.15.2, and tmp to at
least 0.2.6 (preferably 0.2.7); modify the override entries named
"brace-expansion", "qs", and "tmp" in the pnpm-workspace.yaml to those versions
so the CVE fixes are applied (optionally bump tmp to 0.2.7 for the latest stable
release).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 9639a006-5253-4b47-a150-a7fe34f0d4c8
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (1)
pnpm-workspace.yaml
| "ast-types": "0.14.2" | ||
| "autoprefixer": "^10.4.19" | ||
| "axios": "1.15.2" | ||
| "axios": "1.16.0" |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
Do CVE-2026-44494, CVE-2026-44492, CVE-2026-44490, and CVE-2026-44489 exist for axios, and does axios version 1.16.0 fix them?
💡 Result:
Yes—these CVEs are associated with axios, and axios 1.16.0 fixes at least some of them. However, I can only confidently confirm fixes for CVE-2026-44494 and CVE-2026-44492 from authoritative axios/GHSA-advisory style sources; for CVE-2026-44490 and CVE-2026-44489 I did not find authoritative axios vendor statements in the sources retrieved. CVE-2026-44494: Exists for axios; fixed in axios 1.16.0. The axios security advisory for “Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy” (CVE-2026-44494) states the affected versions include all versions up to (and including) 1.15.0 and that it is associated with axios prototype-pollution proxy handling. It also notes that header sanitization patch in v1.15.0 does not address this vector, implying the fix comes later (in 1.16.0). [1] Additionally, an issue referencing the same set of CVEs explicitly states “Affected versions: >= 1.0.0, < 1.16.0” and “Patched in: 1.16.0” for CVE-2026-44494. [2] CVE-2026-44492: Exists for axios; fixed in axios 1.16.0. Tenable’s CVE entry describes CVE-2026-44492 as a NO_PROXY bypass condition involving axios shouldBypassProxy and published date in late May 2026, indicating the vulnerability exists for axios. [3] The same “dependency upgrade request” issue states that CVE-2026-44492 is affected in versions “>=1.0.0, <1.16.0” and “Patched in: 1.16.0.” [2] CVE-2026-44490: Exists for axios? Not confirmed in the sources retrieved. I found a Tenable entry for CVE-2026-44490 that attributes the vulnerability to axios (“axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions”). [4] But in the sources retrieved, I did not find an authoritative statement from axios (or an axios GHSA advisory) explicitly stating that axios 1.16.0 fixes CVE-2026-44490. So I cannot confirm “1.16.0 fixes it” with high confidence based on what was retrieved. CVE-2026-44489: Exists for axios? Not confirmed in the sources retrieved. In the retrieved sources, I did not find an authoritative axios-related entry or advisory that explicitly ties CVE-2026-44489 to axios or states a fixed version. Practical recommendation If you are exposed to these CVEs, upgrading axios to 1.16.1 or later is the safest course based on the available axios vulnerability-fix signal and Snyk’s “no direct vulnerabilities in latest version (1.16.1).” [5]
Citations:
- 1: GHSA-35jp-ww65-95wh
- 2: Security: Dependency upgrade request for axios to resolve high-severity proxy bypass vulnerabilities (CVE-2026-44492, CVE-2026-44494, CVE-2026-44495) twentyhq/twenty#21071
- 3: https://www.tenable.com/cve/CVE-2026-44492
- 4: https://www.tenable.com/cve/CVE-2026-44490
- 5: https://security.snyk.io/package/npm/axios
🌐 Web query:
Does CVE-2026-45736 exist for ws (WebSocket library), and does ws version 8.20.1 fix it?
💡 Result:
Yes, CVE-2026-45736 is a valid vulnerability that affects the ws WebSocket library for Node.js [1][2]. The vulnerability is an uninitialized memory disclosure flaw (CWE-908) located in the websocket.close implementation [1][2][3]. It occurs when a TypedArray (such as a Float32Array or Uint8Array) is passed as the reason argument to the close method, causing the library to potentially leak uninitialized memory to a remote peer [1][2][4]. Ws version 8.20.1 specifically fixes this vulnerability [1][2][5]. It is recommended that users of the ws library upgrade to version 8.20.1 or higher to mitigate this risk [6][3][4].
Citations:
- 1: https://nvd.nist.gov/vuln/detail/CVE-2026-45736
- 2: https://www.sentinelone.com/vulnerability-database/cve-2026-45736/
- 3: https://app.opencve.io/cve/CVE-2026-45736
- 4: Security: Bump ws dependency from 8.20.0 to 8.20.1 (CVE-2026-45736) Unitech/pm2#6116
- 5: websockets/ws@8.18.3...8.20.1
- 6: https://security.snyk.io/vuln/SNYK-JS-WS-16722635
🌐 Web query:
What are the latest stable versions of axios and ws npm packages?
💡 Result:
As of June 1, 2026, the latest stable versions of these packages on the npm registry are as follows: * axios: 1.16.1 [1][2][3] * ws: 8.21.0 [4][5][6] These versions represent the latest releases verified via the official npm registry and GitHub repositories as of May 2026 [7][3][4][8]. Users should always verify dependencies to avoid malicious packages, as there have been reports of unauthorized versions being published to the npm registry in the past [9][10].
Citations:
- 1: https://registry.npmjs.org/axios
- 2: https://www.npmjs.com/package/axios
- 3: https://www.github.com/axios/axios
- 4: https://www.npmjs.com/package/ws
- 5: https://registry.npmjs.org/ws
- 6: https://www.npmjs.com/package/ws?activeTab=versions
- 7: https://github.com/axios/axios/releases
- 8: https://github.com/websockets/ws/releases
- 9: https://www.reddit.com/r/msp/comments/1s8e1af/new_axios_1141_and_0304_on_npm_are_likely/
- 10: https://healsecurity.com/hackers-push-22-versions-of-npm-rat-with-wallet-theft-and-persistent-backdoor/
CVE claims need adjustment: axios 1.16.0 doesn’t have full support for all listed fixes (pnpm-workspace.yaml: axios@1.16.0, ws@8.20.1)
- axios 1.16.0: CVE-2026-44494 and CVE-2026-44492 are fixed by 1.16.0.
- axios 1.16.0: CVE-2026-44490 and CVE-2026-44489 are not backed by authoritative sources in the retrieved material as being fixed by 1.16.0—update the PR’s mapping/justification or bump axios (latest stable is 1.16.1).
- ws 8.20.1: CVE-2026-45736 exists and is fixed by 8.20.1.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@pnpm-workspace.yaml` at line 98, The CVE mapping for axios@1.16.0 is
incorrect: only CVE-2026-44494 and CVE-2026-44492 are supported as fixed in
1.16.0, while CVE-2026-44490 and CVE-2026-44489 are not backed by sources for
1.16.0—either update the PR’s CVE-to-version mapping/justification to remove
those two CVEs for "axios: 1.16.0" or bump axios to the latest stable (1.16.1)
and document that bump; also verify that "ws: 8.20.1" remains listed with
CVE-2026-45736 noted as fixed. Ensure the change references the exact entries
"axios: 1.16.0" and "ws: 8.20.1" in the workspace manifest so reviewers can
validate the updates.
axios 1.16.0 newly exposes `create` as a named export, so oxlint's
import/no-named-as-default-member rule now flags `axios.create(...)`.
That added one warning to @plane/services (7 > its --max-warnings=6
baseline) and to apps/web and apps/live, failing check:lint — surfaced
on this PR because the lockfile change busts Turbo's lint cache.
Switch the three `axios.create(...)` call sites to a named `{ create }`
import. `create` is a real value+type export in axios 1.16.0 (verified
via tsc). isCancel/CancelToken are left as `axios.*`: CancelToken is
only a type export (cannot be a value import under verbatimModuleSyntax)
and both were already counted within the existing baselines.
Verified locally: full `pnpm check:lint` (16/16) and `check:types`
(15/15) pass.
Description
Resolves all 8 open Dependabot alerts (all npm, manifest
pnpm-lock.yaml; 3 high, 4 moderate, 1 low) by bumping the affected packages inpnpm-workspace.yamland regenerating the lockfile. No source code changes — every bump is a semver-compatible patch/minor upgrade.1.15.2 → 1.16.0config.proxy1.15.2 → 1.16.0NO_PROXYbypass via IPv4-mapped IPv61.15.2 → 1.16.01.15.2 → 1.16.00.2.5 → 0.2.68.18.3 → 8.20.16.14.2 → 6.15.2qs.stringify5.0.5 → 5.0.6Implementation notes
axiosis acatalog:(direct) dependency — bumped in the catalog block.brace-expansionandqswere pinned to their vulnerable versions inside theoverrides:block, so a plain lockfile regen would not have fixed them; the pins themselves were bumped.tmpwas an unpinned transitive dep — added tooverrides:at the patched version.wsis scoped to the 8.x major ("ws@8": 8.20.1) because the coexistingws@7.5.10(viaexpress) is below the vulnerable>=8.0.0floor and must not be forced up. The catalogwsentry was pinned to the same exact version to dedup to a single copy.Type of Change
Screenshots and Media (if applicable)
Test Scenarios
--frozen-lockfilesucceed (lockfile is in sync withpnpm-workspace.yaml).axios@1.16.0,tmp@0.2.6,qs@6.15.2,brace-expansion@5.0.6,ws@8.20.1(and the unaffectedws@7.5.10); no vulnerable version remains.pnpm check:types,pnpm build) — all upgrades are within-major and API-compatible.preview, the 8 Dependabot alerts auto-close.References
🤖 Generated with Claude Code
Summary by CodeRabbit