From 63d2cb677b6eda7d46390b92f2280b2cbe21c511 Mon Sep 17 00:00:00 2001 From: sriramveeraghanta Date: Mon, 1 Jun 2026 17:58:37 +0530 Subject: [PATCH 1/2] fix: bump npm deps to resolve Dependabot advisories Resolve 8 open Dependabot alerts (all npm, in pnpm-lock.yaml) by bumping the affected packages in pnpm-workspace.yaml and regenerating the lockfile: - axios 1.15.2 -> 1.16.0 (catalog): CVE-2026-44494/44492/44490/44489 - tmp -> 0.2.6 (override): CVE-2026-44705 path traversal - ws 8.x -> 8.20.1 (catalog + scoped override): CVE-2026-45736 - qs 6.14.2 -> 6.15.2 (override): CVE-2026-8723 DoS - brace-expansion 5.0.5 -> 5.0.6 (override): CVE-2026-45149 DoS brace-expansion and qs were pinned to their vulnerable versions in the overrides block, so the pins had to be bumped directly. ws is scoped to the 8.x major (ws@7.5.10 is below the vulnerable >=8.0.0 floor). All bumps are semver-compatible patch/minor upgrades; no source changes required. --- pnpm-lock.yaml | 86 +++++++++++++++++++++++---------------------- pnpm-workspace.yaml | 10 +++--- 2 files changed, 50 insertions(+), 46 deletions(-) diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 32acf981c33..9bc55502e27 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -529,8 +529,8 @@ catalogs: specifier: ^3.17.0 version: 3.17.0 ws: - specifier: ^8.18.3 - version: 8.18.3 + specifier: 8.20.1 + version: 8.20.1 y-indexeddb: specifier: ^9.0.12 version: 9.0.12 @@ -552,7 +552,7 @@ overrides: mdast-util-to-hast: 13.2.1 valibot: 1.2.0 glob: 11.1.0 - brace-expansion: 5.0.5 + brace-expansion: 5.0.6 nanoid: 3.3.8 esbuild: 0.25.0 '@babel/helpers': 7.26.10 @@ -562,7 +562,7 @@ overrides: '@types/express': 4.17.23 typescript: 5.8.3 vite: 7.3.2 - qs: 6.14.2 + qs: 6.15.2 diff: 5.2.2 webpack: 5.104.1 lodash-es: 4.18.1 @@ -582,10 +582,12 @@ overrides: path-to-regexp: 0.1.13 defu: 6.1.5 postcss: 8.5.10 - axios: 1.15.2 + axios: 1.16.0 follow-redirects: 1.16.0 uuid: 14.0.0 fast-uri@<3.1.2: '>=3.1.2' + tmp: 0.2.6 + ws@8: 8.20.1 importers: @@ -655,8 +657,8 @@ importers: specifier: 'catalog:' version: 3.13.12 axios: - specifier: 1.15.2 - version: 1.15.2 + specifier: 1.16.0 + version: 1.16.0 isbot: specifier: 'catalog:' version: 5.1.31 @@ -788,8 +790,8 @@ importers: specifier: 'catalog:' version: 2.26.2(@tiptap/core@2.26.3(@tiptap/pm@3.6.6))(@tiptap/pm@3.6.6) axios: - specifier: 1.15.2 - version: 1.15.2 + specifier: 1.16.0 + version: 1.16.0 compression: specifier: 'catalog:' version: 1.8.1 @@ -825,7 +827,7 @@ importers: version: 14.0.0 ws: specifier: 'catalog:' - version: 8.18.3 + version: 8.20.1 y-prosemirror: specifier: 'catalog:' version: 1.3.7(prosemirror-model@1.25.3)(prosemirror-state@1.4.3)(prosemirror-view@1.40.0)(y-protocols@1.0.6(yjs@13.6.27))(yjs@13.6.27) @@ -933,8 +935,8 @@ importers: specifier: 'catalog:' version: 7.13.1(react-router@7.12.0(react-dom@18.3.1(react@18.3.1))(react@18.3.1))(typescript@5.8.3) axios: - specifier: 1.15.2 - version: 1.15.2 + specifier: 1.16.0 + version: 1.16.0 clsx: specifier: 'catalog:' version: 2.1.1 @@ -1096,8 +1098,8 @@ importers: specifier: 'catalog:' version: 8.21.3(react-dom@18.3.1(react@18.3.1))(react@18.3.1) axios: - specifier: 1.15.2 - version: 1.15.2 + specifier: 1.16.0 + version: 1.16.0 clsx: specifier: 'catalog:' version: 2.1.1 @@ -1664,8 +1666,8 @@ importers: specifier: workspace:* version: link:../types axios: - specifier: 1.15.2 - version: 1.15.2 + specifier: 1.16.0 + version: 1.16.0 file-type: specifier: 'catalog:' version: 21.3.3 @@ -5060,8 +5062,8 @@ packages: resolution: {integrity: sha512-wvUjBtSGN7+7SjNpq/9M2Tg350UZD3q62IFZLbRAR1bSMlCo1ZaeW+BJ+D090e4hIIZLBcTDWe4Mh4jvUDajzQ==} engines: {node: '>= 0.4'} - axios@1.15.2: - resolution: {integrity: sha512-wLrXxPtcrPTsNlJmKjkPnNPK2Ihe0hn0wGSaTEiHRPxwjvJwT3hKmXF4dpqxmPO9SoNb2FsYXj/xEo0gHN+D5A==} + axios@1.16.0: + resolution: {integrity: sha512-6hp5CwvTPlN2A31g5dxnwAX0orzM7pmCRDLnZSX772mv8WDqICwFjowHuPs04Mc8deIld1+ejhtaMn5vp6b+1w==} babel-dead-code-elimination@1.0.10: resolution: {integrity: sha512-DV5bdJZTzZ0zn0DC24v3jD7Mnidh6xhKa4GfKCbq3sfW8kaWhDdZjP3i81geA8T33tdYqWKw4D3fVv0CwEgKVA==} @@ -5122,8 +5124,8 @@ packages: resolution: {integrity: sha512-j//dBVuyacJbvW+tvZ9HuH03fZ46QcaKvvhZickZqtB271DxJ7SNRSNxrV/dZX0085m7hISRZWbzWlJvx/rHSg==} engines: {node: '>=14.16'} - brace-expansion@5.0.5: - resolution: {integrity: sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==} + brace-expansion@5.0.6: + resolution: {integrity: sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==} engines: {node: 18 || 20 || >=22} braces@3.0.3: @@ -7694,8 +7696,8 @@ packages: pure-rand@6.1.0: resolution: {integrity: sha512-bVWawvoZoBYpp6yIoQtQXHZjmz35RSVHnUOTefl8Vcjr8snTPY1wnpSPMWekcFwbxI6gtmT7rSYPFvz71ldiOA==} - qs@6.14.2: - resolution: {integrity: sha512-V/yCWTTF7VJ9hIh18Ugr2zhJMP01MY7c5kh4J870L7imm6/DIzBsNLTXzMwUA3yZ5b/KBqLx8Kp3uRvd7xSe3Q==} + qs@6.15.2: + resolution: {integrity: sha512-Rzq0KEyX/w/tEybncDgdkZrJgVUsUMk3xjh3t5bv3S1HTAtg+uOYt72+ZfwiQwKdysThkTBdL/rTi6HDmX9Ddw==} engines: {node: '>=0.6'} quansync@1.0.0: @@ -8431,8 +8433,8 @@ packages: peerDependencies: '@tiptap/core': ^2.0.3 - tmp@0.2.5: - resolution: {integrity: sha512-voyz6MApa1rQGUxT3E+BK7/ROe8itEx7vD8/HEvt4xwXucvQ5G5oeEiHkmHZJuBO21RpOf+YYm9MOivj709jow==} + tmp@0.2.6: + resolution: {integrity: sha512-5sJPdPjfI5Kx+qbrDesxkglRBxW//g7hCsqspEjwkewGvBMGIKMOTKzLt1hFVJzyadba3lDUN20O9qhvbQUSTA==} engines: {node: '>=14.14'} to-regex-range@5.0.1: @@ -8922,8 +8924,8 @@ packages: utf-8-validate: optional: true - ws@8.18.3: - resolution: {integrity: sha512-PEIGCY5tSlUt50cqyMXfCzX+oOPqN0vuGqWzbcJ2xvnkzkq46oOpz7dQaTDBdfICb4N14+GARUDw2XV2N4tvzg==} + ws@8.20.1: + resolution: {integrity: sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==} engines: {node: '>=10.0.0'} peerDependencies: bufferutil: ^4.0.1 @@ -9419,7 +9421,7 @@ snapshots: '@parcel/watcher': 2.5.4 effect: 3.20.0 multipasta: 0.2.7 - ws: 8.18.3 + ws: 8.20.1 transitivePeerDependencies: - bufferutil - utf-8-validate @@ -9434,7 +9436,7 @@ snapshots: effect: 3.20.0 mime: 3.0.0 undici: 7.24.0 - ws: 8.18.3 + ws: 8.20.1 transitivePeerDependencies: - bufferutil - utf-8-validate @@ -9675,7 +9677,7 @@ snapshots: '@hocuspocus/common': 2.15.3 '@lifeomic/attempt': 3.1.0 lib0: 0.2.114 - ws: 8.18.3 + ws: 8.20.1 y-protocols: 1.0.6(yjs@13.6.27) yjs: 13.6.27 transitivePeerDependencies: @@ -9689,7 +9691,7 @@ snapshots: kleur: 4.1.5 lib0: 0.2.114 uuid: 14.0.0 - ws: 8.18.3 + ws: 8.20.1 y-protocols: 1.0.6(yjs@13.6.27) yjs: 13.6.27 transitivePeerDependencies: @@ -12016,7 +12018,7 @@ snapshots: dependencies: possible-typed-array-names: 1.1.0 - axios@1.15.2: + axios@1.16.0: dependencies: follow-redirects: 1.16.0 form-data: 4.0.5 @@ -12075,7 +12077,7 @@ snapshots: http-errors: 2.0.0 iconv-lite: 0.4.24 on-finished: 2.4.1 - qs: 6.14.2 + qs: 6.15.2 raw-body: 2.5.2 type-is: 1.6.18 unpipe: 1.0.0 @@ -12095,7 +12097,7 @@ snapshots: widest-line: 4.0.1 wrap-ansi: 8.1.0 - brace-expansion@5.0.5: + brace-expansion@5.0.6: dependencies: balanced-match: 4.0.4 @@ -12876,7 +12878,7 @@ snapshots: parseurl: 1.3.3 path-to-regexp: 0.1.13 proxy-addr: 2.0.7 - qs: 6.14.2 + qs: 6.15.2 range-parser: 1.2.1 safe-buffer: 5.2.1 send: 0.19.0 @@ -13576,7 +13578,7 @@ snapshots: neo-async: 2.6.2 picocolors: 1.1.1 recast: 0.23.11 - tmp: 0.2.5 + tmp: 0.2.6 write-file-atomic: 5.0.1 transitivePeerDependencies: - supports-color @@ -14359,11 +14361,11 @@ snapshots: minimatch@10.2.3: dependencies: - brace-expansion: 5.0.5 + brace-expansion: 5.0.6 minimatch@3.1.4: dependencies: - brace-expansion: 5.0.5 + brace-expansion: 5.0.6 minimist@1.2.8: {} @@ -14964,7 +14966,7 @@ snapshots: pure-rand@6.1.0: {} - qs@6.14.2: + qs@6.15.2: dependencies: side-channel: 1.1.0 @@ -15716,7 +15718,7 @@ snapshots: esbuild-register: 3.6.0(esbuild@0.25.0) recast: 0.23.11 semver: 7.7.4 - ws: 8.18.3 + ws: 8.20.1 optionalDependencies: prettier: 3.7.4 transitivePeerDependencies: @@ -15890,7 +15892,7 @@ snapshots: markdown-it-task-lists: 2.1.1 prosemirror-markdown: 1.13.2 - tmp@0.2.5: {} + tmp@0.2.6: {} to-regex-range@5.0.1: dependencies: @@ -16119,7 +16121,7 @@ snapshots: url@0.11.4: dependencies: punycode: 1.4.1 - qs: 6.14.2 + qs: 6.15.2 use-callback-ref@1.3.3(@types/react@18.3.11)(react@18.3.1): dependencies: @@ -16449,7 +16451,7 @@ snapshots: ws@7.5.10: {} - ws@8.18.3: {} + ws@8.20.1: {} y-indexeddb@9.0.12(yjs@13.6.27): dependencies: diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 23da97dcaea..458563761cb 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -95,7 +95,7 @@ catalog: "@vitest/coverage-v8": "^4.0.8" "ast-types": "0.14.2" "autoprefixer": "^10.4.19" - "axios": "1.15.2" + "axios": "1.16.0" "buffer": "^6.0.3" "chroma-js": "^3.2.0" "class-variance-authority": "0.7.1" @@ -187,7 +187,7 @@ catalog: "vite-tsconfig-paths": "^5.1.4" "vitest": "^4.0.8" "winston": "^3.17.0" - "ws": "^8.18.3" + "ws": "8.20.1" "y-indexeddb": "^9.0.12" "y-prosemirror": "^1.3.7" "y-protocols": "^1.0.6" @@ -199,7 +199,7 @@ overrides: mdast-util-to-hast: 13.2.1 valibot: 1.2.0 glob: 11.1.0 - brace-expansion: 5.0.5 + brace-expansion: 5.0.6 nanoid: 3.3.8 esbuild: 0.25.0 "@babel/helpers": 7.26.10 @@ -209,7 +209,7 @@ overrides: "@types/express": 4.17.23 typescript: "catalog:" vite: "catalog:" - qs: 6.14.2 + qs: 6.15.2 diff: 5.2.2 webpack: 5.104.1 lodash-es: "catalog:" @@ -233,6 +233,8 @@ overrides: follow-redirects: 1.16.0 uuid: "catalog:" "fast-uri@<3.1.2": ">=3.1.2" + tmp: 0.2.6 + "ws@8": 8.20.1 allowBuilds: "@parcel/watcher": true From 087db5a21361955d2150d2169f6101074280f63e Mon Sep 17 00:00:00 2001 From: sriramveeraghanta Date: Mon, 1 Jun 2026 18:22:35 +0530 Subject: [PATCH 2/2] fix: use named axios `create` import after 1.16.0 bump MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit axios 1.16.0 newly exposes `create` as a named export, so oxlint's import/no-named-as-default-member rule now flags `axios.create(...)`. That added one warning to @plane/services (7 > its --max-warnings=6 baseline) and to apps/web and apps/live, failing check:lint — surfaced on this PR because the lockfile change busts Turbo's lint cache. Switch the three `axios.create(...)` call sites to a named `{ create }` import. `create` is a real value+type export in axios 1.16.0 (verified via tsc). isCancel/CancelToken are left as `axios.*`: CancelToken is only a type export (cannot be a value import under verbatimModuleSyntax) and both were already counted within the existing baselines. Verified locally: full `pnpm check:lint` (16/16) and `check:types` (15/15) pass. --- apps/live/src/services/api.service.ts | 4 ++-- apps/web/core/services/api.service.ts | 4 ++-- packages/services/src/api.service.ts | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/apps/live/src/services/api.service.ts b/apps/live/src/services/api.service.ts index 3834bbd6b15..b04655a0be2 100644 --- a/apps/live/src/services/api.service.ts +++ b/apps/live/src/services/api.service.ts @@ -5,7 +5,7 @@ */ import type { AxiosInstance } from "axios"; -import axios from "axios"; +import { create } from "axios"; import { env } from "@/env"; import { AppError } from "@/lib/errors"; @@ -16,7 +16,7 @@ export abstract class APIService { constructor(baseURL?: string) { this.baseURL = baseURL || env.API_BASE_URL; - this.axiosInstance = axios.create({ + this.axiosInstance = create({ baseURL: this.baseURL, withCredentials: true, timeout: 20000, diff --git a/apps/web/core/services/api.service.ts b/apps/web/core/services/api.service.ts index 4ef1a2a4bdc..561656b33aa 100644 --- a/apps/web/core/services/api.service.ts +++ b/apps/web/core/services/api.service.ts @@ -6,7 +6,7 @@ /* eslint-disable @typescript-eslint/no-explicit-any */ import type { AxiosInstance, AxiosRequestConfig } from "axios"; -import axios from "axios"; +import { create } from "axios"; export abstract class APIService { protected baseURL: string; @@ -14,7 +14,7 @@ export abstract class APIService { constructor(baseURL: string) { this.baseURL = baseURL; - this.axiosInstance = axios.create({ + this.axiosInstance = create({ baseURL, withCredentials: true, }); diff --git a/packages/services/src/api.service.ts b/packages/services/src/api.service.ts index 3284a8aadf8..1f7b7200e7b 100644 --- a/packages/services/src/api.service.ts +++ b/packages/services/src/api.service.ts @@ -5,7 +5,7 @@ */ import type { AxiosInstance, AxiosRequestConfig } from "axios"; -import axios from "axios"; +import { create } from "axios"; /** * Abstract base class for making HTTP requests using axios @@ -21,7 +21,7 @@ export abstract class APIService { */ constructor(baseURL: string) { this.baseURL = baseURL; - this.axiosInstance = axios.create({ + this.axiosInstance = create({ baseURL, withCredentials: true, });