Skip to content

Fix/axios resolution#3016

Merged
sammdec merged 1 commit into
aave:feat/funkit-integrationfrom
yogurtandjam:fix/axios-resolution
Jun 15, 2026
Merged

Fix/axios resolution#3016
sammdec merged 1 commit into
aave:feat/funkit-integrationfrom
yogurtandjam:fix/axios-resolution

Conversation

@yogurtandjam

@yogurtandjam yogurtandjam commented Jun 15, 2026

Copy link
Copy Markdown

General Changes

  • pin axios to safe version to clear security vuln concern

Developer Notes

Add any notes here that may be helpful for reviewers.

Reviewer Checklist

Please ensure you, as the reviewer(s), have gone through this checklist to ensure that the code changes are ready to ship safely and to help mitigate any downstream issues that may occur.

  • End-to-end tests are passing without any errors
  • Code changes do not significantly increase the application bundle size
  • If there are new 3rd-party packages, they do not introduce potential security threats
  • If there are new environment variables being added, they have been added to the .env.example file as well as the pertinant .github/actions/* files
  • There are no CI changes, or they have been approved by the DevOps and Engineering team(s)

@vercel

vercel Bot commented Jun 15, 2026

Copy link
Copy Markdown

@yogurtandjam is attempting to deploy a commit to the Aave Team on Vercel.

A member of the Team first needs to authorize it.

@yogurtandjam yogurtandjam force-pushed the fix/axios-resolution branch from a4f25c1 to 8a29e86 Compare June 15, 2026 16:16
@yogurtandjam @claude
fix: pin axios to ^1.18.0 via resolutions to clear dependency-review …
0ccfc02 
…advisories

tronweb@^6.0.4 hard-pins axios@1.15.0, which the GitHub dependency-review
action flags with 11 high + 9 moderate advisories (ReDoS, prototype-pollution
gadgets, NO_PROXY/proxy-auth leaks). The highest first_patched_version across
all of them is 1.16.0, so pinning to the latest 1.18.0 clears the entire set.

Override only — axios stays transitive; no new primary dependency. The lockfile
collapses the axios copies (1.15.0 from tronweb, 1.16.0 from @coinbase/cdp-sdk,
1.17.0 via ^1.6.5) into a single axios@1.18.0.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@yogurtandjam yogurtandjam force-pushed the fix/axios-resolution branch from 8a29e86 to 0ccfc02 Compare June 15, 2026 16:22
@sammdec sammdec merged commit 8c457dc into aave:feat/funkit-integration Jun 15, 2026
1 check failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sammdec sammdec sammdec approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yogurtandjam @sammdec