Skip to content

🔒 Security: Update axios to fix SSRF/CSRF vulnerabilities#215

Open
madjin wants to merge 1 commit intomainfrom
security/update-axios
Open

🔒 Security: Update axios to fix SSRF/CSRF vulnerabilities#215
madjin wants to merge 1 commit intomainfrom
security/update-axios

Conversation

@madjin
Copy link
Member

@madjin madjin commented Dec 12, 2025

Summary

Updates axios from 1.10.0 to 1.13.2 to fix security vulnerabilities.

CVEs Fixed (Direct Dependency)

CVE Severity Description
GHSA-wf5p-g6vw-rhxx HIGH CSRF vulnerability
GHSA-4hjh-wcwx-xvwj HIGH DoS via data size check
GHSA-jr5f-v2jv-69x6 HIGH SSRF and credential leakage

Known Issues

Transitive axios vulnerabilities remain in the deprecated @metaplex-foundation/js dependency chain. The metaplex package is deprecated and would need to be migrated to their new SDK to fully resolve.

Testing

  • Build succeeds (npm run build)
  • API calls work correctly
  • Blockchain interactions still function

🤖 Generated with Claude Code

@madjin @claude
security: update axios and other outdated dependencies
8747245 
Direct dependency updates:
- axios: 1.10.0 → 1.13.2 (SSRF/CSRF fixes)
- vite: 7.0.2 → 7.2.7 (3 security fixes)
- react/react-dom: 19.1.0 → 19.2.3
- @pixiv/three-vrm: 3.1.4 → 3.4.4
- gsap: 3.11.3 → 3.14.2
- postprocessing: 6.36.3 → 6.38.0
- wrangler: 4.23.0 → 4.54.0
- sass: 1.58.0 → 1.96.0

Security fixes:
- js-yaml: prototype pollution fix
- tmp: arbitrary file write fix

Note: Transitive vulnerabilities remain in deprecated
@metaplex-foundation/js. Migration to new SDK required.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@madjin madjin force-pushed the security/update-axios branch from 78927b7 to 8747245 Compare December 13, 2025 03:51
@madjin
Copy link
Member Author

madjin commented Dec 13, 2025

Additional Updates (amended commit)

This PR now also includes:

Security Fixes

  • vite: 7.0.2 → 7.2.7 (3 moderate CVEs fixed)
  • js-yaml: prototype pollution fix
  • tmp: arbitrary file write fix

Package Updates

  • react/react-dom: 19.1.0 → 19.2.3
  • @pixiv/three-vrm: 3.1.4 → 3.4.4
  • gsap: 3.11.3 → 3.14.2
  • postprocessing: 6.36.3 → 6.38.0
  • wrangler: 4.23.0 → 4.54.0
  • sass: 1.58.0 → 1.96.0

Build verified: npm run build passes.

@madjin madjin mentioned this pull request Dec 13, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@madjin