Update pnpm and axios dependencies#6
Conversation
Upgrade axios from 1.15.0 to 1.16.1 (>= 1.15.2 fix) in both pnpm-lock.yaml and package-lock.json to resolve the 14 reported vulnerabilities including CVE-2026-42043. Bump packageManager to pnpm@11.1.2 and add pnpm-workspace.yaml allowBuilds (required by pnpm 11 to permit esbuild's install script). https://claude.ai/code/session_016houJLoqJuTAUFhQE8AVs6
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the pnpm package manager version and modifies project dependencies, including an update to axios and the removal of dependency overrides in the lockfile. However, the review identifies critical security concerns: the specified axios version (1.16.1) does not exist in the official registry and appears suspicious, suggesting a potential supply chain attack. Additionally, the removal of overrides has caused a security regression by downgrading serialize-javascript to a vulnerable version.
I am having trouble creating individual review comments. Click here to see my feedback.
package.json (32)
The version ^1.15.2 for axios (and the resolved 1.16.1 in the lockfiles) does not exist on the official npm registry. The current stable version of axios is 1.7.9. Furthermore, the lockfile changes show this version introducing a dependency on https-proxy-agent, which is not part of the official axios package. This is highly suspicious and could indicate a supply chain attack or dependency confusion. Please revert to the official version.
"axios": "^1.7.9",
pnpm-lock.yaml (7-9)
The overrides section has been removed from the lockfile. This has resulted in serialize-javascript being downgraded from 7.0.5 to 6.0.2 (as seen in line 930), which violates the requirements defined in package.json and introduces a security regression. Older versions of serialize-javascript are known to have vulnerabilities.
pnpm 11 reads overrides from pnpm-workspace.yaml rather than the package.json "pnpm.overrides" field, so the lockfile regeneration had dropped the serialize-javascript >=7.0.5 override and downgraded it to 6.0.2 (pulled transitively by mocha). Move the override into pnpm-workspace.yaml so pnpm 11 enforces it; serialize-javascript is back to 7.0.5 in both lockfiles. https://claude.ai/code/session_016houJLoqJuTAUFhQE8AVs6
|
Thanks for the review. Addressing both points: 1. axios
2. serialize-javascript override — valid catch, fixed. Generated by Claude Code |
Add supply-chain hardening to pnpm-workspace.yaml: minimumReleaseAge 2880 (48 hours) so newly published versions are not installed until they have been public for two days, and blockExoticSubdeps true so transitive dependencies must resolve from a trusted registry rather than git/tarball URLs. https://claude.ai/code/session_016houJLoqJuTAUFhQE8AVs6
2 participants
Summary
This PR updates the project's package manager and a core dependency to their latest versions, along with adding workspace configuration.
Key Changes
pnpm-workspace.yamlwith esbuild allowBuilds configurationImplementation Details
The new
pnpm-workspace.yamlfile enables esbuild builds within the pnpm workspace, which may be necessary for the upgraded pnpm version or to support future workspace features. The axios upgrade brings in the latest bug fixes and improvements while maintaining backward compatibility within the semver range.https://claude.ai/code/session_016houJLoqJuTAUFhQE8AVs6
Need help on this PR? Tag
@codesmithwith what you need.