Skip to content

chore(SEC-10496): upgrade axios to 0.31.1#42

Draft
phantom-autopilot[bot] wants to merge 1 commit intomasterfrom
autopilot2/sec-10496_high-upgrade-axios-in-github-com-phantom-react-native-webvie
Draft

chore(SEC-10496): upgrade axios to 0.31.1#42
phantom-autopilot[bot] wants to merge 1 commit intomasterfrom
autopilot2/sec-10496_high-upgrade-axios-in-github-com-phantom-react-native-webvie

Conversation

@phantom-autopilot
Copy link
Copy Markdown

@phantom-autopilot phantom-autopilot Bot commented May 5, 2026
edited by coderabbitai Bot
Loading

Summary

  • Pin transitive axios to 0.31.1 via yarn resolutions to address GHSA-pmwg-cvhr-8vh7 (CVE-2026-42043).
  • Advisory: incomplete fix for CVE-2025-62718NO_PROXY protection bypassed via the RFC 1122 loopback subnet (127.0.0.0/8). Severity: HIGH. Fix version: 0.31.1.
  • axios is only a transitive dev dependency (pulled in by appium/selenium packages); no direct dependency exists. Using resolutions upgrades the locked copy from 0.28.0 → 0.31.1 across all consumers without changing direct dependencies.

Linear

Resolves SEC-10496.

Test plan

  • yarn install succeeds and yarn.lock resolves a single axios entry at 0.31.1.
  • yarn lint (tsc + eslint) passes.
  • Pre-existing failure in __tests__/Alert.test.js (Appium ECONNREFUSED on 127.0.0.1:4723) verified to also fail on the base branch and is unrelated to this change.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Pinned axios dependency to version 0.31.1 in Yarn resolution configuration.

@phantom-autopilot
chore(SEC-10496): upgrade axios to 0.31.1
a60da37 
Pin transitive axios to 0.31.1 via yarn resolutions to address
GHSA-pmwg-cvhr-8vh7 (CVE-2026-42043) — incomplete fix for CVE-2025-62718
where NO_PROXY protection is bypassed via RFC 1122 loopback subnet
(127.0.0.0/8).

axios is brought in only as a transitive dev dependency through
appium/selenium packages; using "resolutions" upgrades all locked
copies (was 0.28.0) without changing direct dependencies.
@phantom-autopilot
Copy link
Copy Markdown
Author

phantom-autopilot Bot commented May 5, 2026

PR opened by agent

#42

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 5, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e130d163-0701-4435-b946-c79ad5bf70ad

📥 Commits

Reviewing files that changed from the base of the PR and between 413d5ea and a60da37.

⛔ Files ignored due to path filters (1)
  • yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (1)
  • package.json
📝 Walkthrough

Walkthrough

The PR adds a Yarn "resolutions" block to package.json that pins axios to version 0.31.1, ensuring consistent dependency resolution across the project regardless of nested dependencies or transitive version declarations.

Changes

Dependency Resolution

Layer / File(s) Summary
Dependency Configuration
package.json		 Added "resolutions" field with "axios": "0.31.1" to enforce a specific axios version across all dependency trees.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: upgrading axios to version 0.31.1 as a dependency resolution fix. It includes the ticket reference and is clear and specific.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch autopilot2/sec-10496_high-upgrade-axios-in-github-com-phantom-react-native-webvie

Comment @coderabbitai help to get the list of available commands and usage tips.

@phantom-autopilot
Copy link
Copy Markdown
Author

phantom-autopilot Bot commented May 5, 2026

Task completed

✔ Upgrade axios to 0.31.1

@phantom-autopilot
Copy link
Copy Markdown
Author

phantom-autopilot Bot commented May 5, 2026

PR opened by agent

Draft PR: #42

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@phantom-autopilot