Skip to content

🔒 Security: Update axios to fix SSRF/CSRF vulnerabilities #215

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
madjin wants to merge 1 commit into
base: main
Choose a base branch
from
Open

🔒 Security: Update axios to fix SSRF/CSRF vulnerabilities #215

madjin wants to merge 1 commit into from

Conversation

@madjin
Copy link
Member

@madjin madjin commented Dec 12, 2025

Summary

Updates axios from 1.10.0 to 1.13.2 to fix security vulnerabilities.

CVEs Fixed (Direct Dependency)

CVE Severity Description
GHSA-wf5p-g6vw-rhxx HIGH CSRF vulnerability
GHSA-4hjh-wcwx-xvwj HIGH DoS via data size check
GHSA-jr5f-v2jv-69x6 HIGH SSRF and credential leakage

Known Issues

Transitive axios vulnerabilities remain in the deprecated @metaplex-foundation/js dependency chain. The metaplex package is deprecated and would need to be migrated to their new SDK to fully resolve.

Testing

  • Build succeeds (npm run build)
  • API calls work correctly
  • Blockchain interactions still function

🤖 Generated with Claude Code

@madjin @claude
security: update axios and other outdated dependencies
8747245 
Direct dependency updates:
- axios: 1.10.0 → 1.13.2 (SSRF/CSRF fixes)
- vite: 7.0.2 → 7.2.7 (3 security fixes)
- react/react-dom: 19.1.0 → 19.2.3
- @pixiv/three-vrm: 3.1.4 → 3.4.4
- gsap: 3.11.3 → 3.14.2
- postprocessing: 6.36.3 → 6.38.0
- wrangler: 4.23.0 → 4.54.0
- sass: 1.58.0 → 1.96.0

Security fixes:
- js-yaml: prototype pollution fix
- tmp: arbitrary file write fix

Note: Transitive vulnerabilities remain in deprecated
@metaplex-foundation/js. Migration to new SDK required.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@madjin madjin force-pushed the security/update-axios branch from 78927b7 to 8747245 Compare December 13, 2025 03:51
@madjin
Copy link
Member Author

madjin commented Dec 13, 2025

Additional Updates (amended commit)

This PR now also includes:

Security Fixes

  • vite: 7.0.2 → 7.2.7 (3 moderate CVEs fixed)
  • js-yaml: prototype pollution fix
  • tmp: arbitrary file write fix

Package Updates

  • react/react-dom: 19.1.0 → 19.2.3
  • @pixiv/three-vrm: 3.1.4 → 3.4.4
  • gsap: 3.11.3 → 3.14.2
  • postprocessing: 6.36.3 → 6.38.0
  • wrangler: 4.23.0 → 4.54.0
  • sass: 1.58.0 → 1.96.0

Build verified: npm run build passes.

@madjin madjin mentioned this pull request Dec 13, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@madjin