Skip to content

Add yarn resolution for axios ^0.31.0 (CVE-2026-40175)#6

Open
devin-ai-integration[bot] wants to merge 1 commit intomainfrom
devin/1776220197-patch-axios-cve-2026-40175
Open

Add yarn resolution for axios ^0.31.0 (CVE-2026-40175)#6
devin-ai-integration[bot] wants to merge 1 commit intomainfrom
devin/1776220197-patch-axios-cve-2026-40175

Conversation

@devin-ai-integration
Copy link
Copy Markdown

@devin-ai-integration devin-ai-integration Bot commented Apr 15, 2026

Summary

Adds a yarn resolutions field to force the transitive axios dependency from 0.25.0 to ^0.31.0, which contains the backported fix for CVE-2026-40175 (CVSS 10.0 — header injection chain enabling prototype pollution escalation to RCE/cloud metadata exfiltration).

axios is pulled in transitively via wait-on@^6.0.1. Since this repo uses Yarn 1, a resolutions override is needed rather than a direct dependency bump.

The 0.x fix was backported to 0.31.0 (release notes), keeping this on the 0.x line to avoid a major version jump.

Review & Testing Checklist for Human

  • Verify wait-on (the only consumer of axios here) still works correctly with axios 0.31.0 — the 0.31.0 release notes note that __proto__ key merging in config is now blocked, which is a minor breaking change
  • Confirm no other transitive consumers of axios in this repo are affected by the new sub-dependencies (form-data@^4.0.4, proxy-from-env@^1.1.0)

Notes

  • Part of a batch of PRs patching axios across all active WorkOS repos for CVE-2026-40175
  • wait-on is a dev dependency used in tests, so production runtime is unaffected

Link to Devin session: https://app.devin.ai/sessions/f8a4b2e92c6b4dd1aadcf7becc2ae7bf

@devin-ai-integration @marji-workos
Add yarn resolution for axios ^0.31.0 (CVE-2026-40175)
f8ae0f2 
Co-Authored-By: matthew.marji <matthew.marji@workos.com>
@devin-ai-integration
Copy link
Copy Markdown
Author

devin-ai-integration Bot commented Apr 15, 2026

Original prompt from matthew.marji

SYSTEM:
=== BEGIN THREAD HISTORY (in #inc-595-axios-cve-2026-40175) ===
<most_recent_message>
Matthew Marji (U072HPDRZ53): @Devin open PRs to patch axios for the repos that @Will Porter (U0AN253S805) noted as active
</most_recent_message>
=== END THREAD HISTORY ===

Thread URL: https://work-os.slack.com/archives/C0ASVCL84F4/p1776198300748259?thread_ts=1776198300.748259&amp;cid=C0ASVCL84F4

The latest message is the one right above that tagged you. The <most_recent_message> is the message that you should use to guide your goals + task for this session, and you should use the rest of the slack thread as context.

@devin-ai-integration
Copy link
Copy Markdown
Author

devin-ai-integration Bot commented Apr 15, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@devin-ai-integration
Copy link
Copy Markdown
Author

devin-ai-integration Bot commented Apr 15, 2026

@nickcollisson-workos Could you review this axios security patch for CVE-2026-40175? (yarn resolution for 0.x line → ^0.31.0)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tribble tribble tribble approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tribble