Dependency alert: axios compromised versions may be resolved via ^1.13.1

There is an ongoing public supply-chain compromise affecting `axios@1.14.1` and `axios@0.30.4` on npm.

https://github.com/axios/axios/issues/10604

This repository currently declares:

```json
"axios": "^1.13.1"
```

So even if the current lockfile is still safe, future lockfile refreshes / fresh installs that re-resolve dependencies may pick up a compromised Axios release.

Would you consider urgently:

1. pinning Axios to a known-good version,
2. checking that neither `axios@1.14.1` / `0.30.4` nor `plain-crypto-js` appears in the dependency tree? 

This seems worth addressing quickly because many users self-host or fork this project and may run fresh installs.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Dependency alert: axios compromised versions may be resolved via ^1.13.1 #4848

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

Dependency alert: axios compromised versions may be resolved via ^1.13.1 #4848

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions