Skip to content

Fix axios SSRF vulnerability - upgrade to ^1.6.0#85

Open
yorkeccak wants to merge 1 commit intomainfrom
intern/909cfbde
Open

Fix axios SSRF vulnerability - upgrade to ^1.6.0#85
yorkeccak wants to merge 1 commit intomainfrom
intern/909cfbde

Conversation

@yorkeccak
Copy link
Contributor

@yorkeccak yorkeccak commented Mar 23, 2026

Summary

  • Upgraded axios from ^1.4.0 to ^1.6.0 in package.json to fix SSRF vulnerability via protocol-relative URLs (GHSA-jr5f-v2jv-69x6)
  • Updated package-lock.json to resolve to the patched version
  • High severity fix - valyu-js is a public SDK used by many customers

Task Context
Requested by intern-agent
Run 909cfbde
Branch intern/909cfbde

Original Request

Fix security vulnerability: axios ^1.4.0 is vulnerable to SSRF via protocol-relative URLs (GHSA-jr5f-v2jv-69x6, CVE). The semver range allows installation of a patched version but requires lock file update. High severity because valyu-js is a public SDK used by many customers.

Repo: valyu-js
File: package.json:1
Category: deps
Severity: high

Test code (must pass after fix):
import json
with open('/workspace/repos/valyu-js/package.json') as f:
pkg = json.load(f)
axios_ver = pkg.get('dependencies', {}).get('axios', '')
import re
match = re.match(r'[^~]]?(\d+).(\d+)', axios_ver)
assert match and (int(match.group(1)) > 1 or int(match.group(2)) >= 6), f'axios version {axios_ver} is vulnerable; upgrade to ^1.6.0'

Apply the minimal fix to resolve this vulnerability. Run the test to confirm it passes.

Attachments

None

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@yorkeccak