$ date
--- stdout ---
Wed Jun 10 13:22:09 UTC 2026
--- end ---
$ git clone file:///srv/git/mediawiki-extensions-WikimediaCustomizations.git /src/repo --depth=1 -b REL1_46
--- stderr ---
Cloning into '/src/repo'...
--- stdout ---
--- end ---
$ git config user.name libraryupgrader
--- stdout ---
--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---
--- end ---
$ git submodule update --init
--- stdout ---
--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.
--- end ---
$ git show-ref refs/heads/REL1_46
--- stdout ---
7a57c7d15fd8f929ba4e5f800a49ca9f927c374c refs/heads/REL1_46
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"axios": {
"name": "axios",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1097679,
"name": "axios",
"dependency": "axios",
"title": "Axios Cross-Site Request Forgery Vulnerability",
"url": "https://github.com/advisories/GHSA-wf5p-g6vw-rhxx",
"severity": "moderate",
"cwe": [
"CWE-352"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"range": ">=0.8.1 <0.28.0"
},
{
"source": 1111034,
"name": "axios",
"dependency": "axios",
"title": "axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL",
"url": "https://github.com/advisories/GHSA-jr5f-v2jv-69x6",
"severity": "high",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<0.30.0"
},
{
"source": 1116672,
"name": "axios",
"dependency": "axios",
"title": "Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF",
"url": "https://github.com/advisories/GHSA-3p68-rc4w-qgx5",
"severity": "moderate",
"cwe": [
"CWE-441",
"CWE-918"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<0.31.0"
},
{
"source": 1117573,
"name": "axios",
"dependency": "axios",
"title": "Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy",
"url": "https://github.com/advisories/GHSA-w9j2-pvgh-6h63",
"severity": "moderate",
"cwe": [
"CWE-287",
"CWE-1321"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117575,
"name": "axios",
"dependency": "axios",
"title": "Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0",
"url": "https://github.com/advisories/GHSA-pmwg-cvhr-8vh7",
"severity": "high",
"cwe": [
"CWE-183",
"CWE-441",
"CWE-918"
],
"cvss": {
"score": 7.2,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117579,
"name": "axios",
"dependency": "axios",
"title": "Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams",
"url": "https://github.com/advisories/GHSA-xhjh-pmcv-23jw",
"severity": "low",
"cwe": [
"CWE-116",
"CWE-626"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117582,
"name": "axios",
"dependency": "axios",
"title": "Axios: no_proxy bypass via IP alias allows SSRF",
"url": "https://github.com/advisories/GHSA-m7pr-hjqh-92cm",
"severity": "moderate",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 6.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117586,
"name": "axios",
"dependency": "axios",
"title": "Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0",
"url": "https://github.com/advisories/GHSA-5c9x-8gcm-mpgx",
"severity": "moderate",
"cwe": [
"CWE-770"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<=0.31.0"
},
{
"source": 1117588,
"name": "axios",
"dependency": "axios",
"title": "Axios: HTTP adapter streamed responses bypass maxContentLength",
"url": "https://github.com/advisories/GHSA-vf2m-468p-8v99",
"severity": "moderate",
"cwe": [
"CWE-770"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<=0.31.0"
},
{
"source": 1117590,
"name": "axios",
"dependency": "axios",
"title": "Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking",
"url": "https://github.com/advisories/GHSA-pf86-5x62-jrwf",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117592,
"name": "axios",
"dependency": "axios",
"title": "Axios: Header Injection via Prototype Pollution",
"url": "https://github.com/advisories/GHSA-6chq-wfr3-2hj9",
"severity": "high",
"cwe": [
"CWE-113",
"CWE-1321"
],
"cvss": {
"score": 7.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117594,
"name": "axios",
"dependency": "axios",
"title": "Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion",
"url": "https://github.com/advisories/GHSA-xx6v-rp6x-q39c",
"severity": "moderate",
"cwe": [
"CWE-183",
"CWE-201"
],
"cvss": {
"score": 5.4,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117857,
"name": "axios",
"dependency": "axios",
"title": "Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig",
"url": "https://github.com/advisories/GHSA-43fc-jf86-j433",
"severity": "high",
"cwe": [
"CWE-754",
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<=0.30.2"
},
{
"source": 1119403,
"name": "axios",
"dependency": "axios",
"title": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain",
"url": "https://github.com/advisories/GHSA-fvcv-3m26-pcqx",
"severity": "moderate",
"cwe": [
"CWE-113",
"CWE-444",
"CWE-918"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<0.31.0"
},
{
"source": 1119666,
"name": "axios",
"dependency": "axios",
"title": "axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)",
"url": "https://github.com/advisories/GHSA-pjwm-pj3p-43mv",
"severity": "high",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 8.6,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"
},
"range": "<=0.31.1"
},
{
"source": 1119668,
"name": "axios",
"dependency": "axios",
"title": "axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions",
"url": "https://github.com/advisories/GHSA-898c-q2cr-xwhg",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"
},
"range": "<=0.31.1"
},
{
"source": 1119673,
"name": "axios",
"dependency": "axios",
"title": "axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge",
"url": "https://github.com/advisories/GHSA-3g43-6gmg-66jw",
"severity": "high",
"cwe": [
"CWE-94",
"CWE-1321"
],
"cvss": {
"score": 7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L"
},
"range": ">=0.19.0 <0.31.1"
},
{
"source": 1120072,
"name": "axios",
"dependency": "axios",
"title": "Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection",
"url": "https://github.com/advisories/GHSA-hfxv-24rg-xrqf",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<=0.31.1"
},
{
"source": 1120075,
"name": "axios",
"dependency": "axios",
"title": "Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter",
"url": "https://github.com/advisories/GHSA-p92q-9vqr-4j8v",
"severity": "high",
"cwe": [
"CWE-201"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=0.31.1"
},
{
"source": 1120077,
"name": "axios",
"dependency": "axios",
"title": "Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection",
"url": "https://github.com/advisories/GHSA-j5f8-grm9-p9fc",
"severity": "high",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"range": "<=0.31.1"
},
{
"source": 1120124,
"name": "axios",
"dependency": "axios",
"title": "Axios: unbounded recursion in toFormData causes DoS via deeply nested request data",
"url": "https://github.com/advisories/GHSA-62hf-57xw-28j9",
"severity": "moderate",
"cwe": [
"CWE-674"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<=0.31.0"
}
],
"effects": [
"openapi-validator"
],
"range": "<=0.31.1",
"nodes": [
"node_modules/axios"
],
"fixAvailable": {
"name": "chai-openapi-response-validator",
"version": "0.14.1",
"isSemVerMajor": true
}
},
"chai-openapi-response-validator": {
"name": "chai-openapi-response-validator",
"severity": "high",
"isDirect": true,
"via": [
"openapi-validator"
],
"effects": [],
"range": "0.11.2 || >=0.14.2-alpha.0",
"nodes": [
"node_modules/chai-openapi-response-validator"
],
"fixAvailable": {
"name": "chai-openapi-response-validator",
"version": "0.14.1",
"isSemVerMajor": true
}
},
"openapi-validator": {
"name": "openapi-validator",
"severity": "high",
"isDirect": false,
"via": [
"axios"
],
"effects": [
"chai-openapi-response-validator"
],
"range": ">=0.14.2-alpha.0",
"nodes": [
"node_modules/openapi-validator"
],
"fixAvailable": {
"name": "chai-openapi-response-validator",
"version": "0.14.1",
"isSemVerMajor": true
}
},
"qs": {
"name": "qs",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1119502,
"name": "qs",
"dependency": "qs",
"title": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set",
"url": "https://github.com/advisories/GHSA-q8mj-m7cp-5q26",
"severity": "moderate",
"cwe": [
"CWE-476"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=6.11.1 <=6.15.1"
}
],
"effects": [],
"range": "6.11.1 - 6.15.1",
"nodes": [
"node_modules/qs"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 1,
"high": 3,
"critical": 0,
"total": 4
},
"dependencies": {
"prod": 1,
"dev": 547,
"optional": 0,
"peer": 1,
"peerOptional": 0,
"total": 547
}
}
}
--- end ---
$ /usr/bin/composer install
--- stderr ---
No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
Loading composer repositories with package information
Updating dependencies
Lock file operations: 38 installs, 0 updates, 0 removals
- Locking composer/pcre (3.3.2)
- Locking composer/semver (3.4.4)
- Locking composer/spdx-licenses (1.5.10)
- Locking composer/xdebug-handler (3.0.5)
- Locking danog/advanced-json-rpc (v3.2.3)
- Locking dealerdirect/phpcodesniffer-composer-installer (v1.2.1)
- Locking doctrine/deprecations (1.1.6)
- Locking mediawiki/mediawiki-codesniffer (v50.0.0)
- Locking mediawiki/mediawiki-phan-config (0.20.0)
- Locking mediawiki/minus-x (2.0.1)
- Locking mediawiki/phan-taint-check-plugin (9.1.0)
- Locking netresearch/jsonmapper (v5.0.1)
- Locking phan/phan (6.0.2)
- Locking phan/tolerant-php-parser (v0.2.0)
- Locking phan/var_representation_polyfill (0.1.4)
- Locking php-parallel-lint/php-console-color (v1.0.1)
- Locking php-parallel-lint/php-console-highlighter (v1.0.0)
- Locking php-parallel-lint/php-parallel-lint (v1.4.0)
- Locking phpcsstandards/phpcsextra (1.4.0)
- Locking phpcsstandards/phpcsutils (1.2.2)
- Locking phpdocumentor/reflection-common (2.2.0)
- Locking phpdocumentor/reflection-docblock (6.0.3)
- Locking phpdocumentor/type-resolver (2.0.0)
- Locking phpstan/phpdoc-parser (2.3.2)
- Locking psr/container (2.0.2)
- Locking psr/log (3.0.2)
- Locking sabre/event (6.1.0)
- Locking squizlabs/php_codesniffer (3.13.5)
- Locking symfony/console (v8.1.0)
- Locking symfony/deprecation-contracts (v3.7.0)
- Locking symfony/polyfill-ctype (v1.37.0)
- Locking symfony/polyfill-intl-grapheme (v1.38.1)
- Locking symfony/polyfill-intl-normalizer (v1.38.0)
- Locking symfony/polyfill-mbstring (v1.38.2)
- Locking symfony/polyfill-php85 (v1.38.1)
- Locking symfony/service-contracts (v3.7.0)
- Locking symfony/string (v8.1.0)
- Locking webmozart/assert (2.4.0)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 38 installs, 0 updates, 0 removals
0 [>---------------------------] 0 [->--------------------------]
- Installing squizlabs/php_codesniffer (3.13.5): Extracting archive
- Installing dealerdirect/phpcodesniffer-composer-installer (v1.2.1): Extracting archive
- Installing composer/pcre (3.3.2): Extracting archive
- Installing phpcsstandards/phpcsutils (1.2.2): Extracting archive
- Installing phpcsstandards/phpcsextra (1.4.0): Extracting archive
- Installing symfony/polyfill-mbstring (v1.38.2): Extracting archive
- Installing composer/spdx-licenses (1.5.10): Extracting archive
- Installing composer/semver (3.4.4): Extracting archive
- Installing mediawiki/mediawiki-codesniffer (v50.0.0): Extracting archive
- Installing symfony/polyfill-intl-normalizer (v1.38.0): Extracting archive
- Installing symfony/polyfill-intl-grapheme (v1.38.1): Extracting archive
- Installing symfony/polyfill-ctype (v1.37.0): Extracting archive
- Installing symfony/string (v8.1.0): Extracting archive
- Installing symfony/deprecation-contracts (v3.7.0): Extracting archive
- Installing psr/container (2.0.2): Extracting archive
- Installing symfony/service-contracts (v3.7.0): Extracting archive
- Installing symfony/polyfill-php85 (v1.38.1): Extracting archive
- Installing symfony/console (v8.1.0): Extracting archive
- Installing sabre/event (6.1.0): Extracting archive
- Installing phan/var_representation_polyfill (0.1.4): Extracting archive
- Installing phan/tolerant-php-parser (v0.2.0): Extracting archive
- Installing netresearch/jsonmapper (v5.0.1): Extracting archive
- Installing webmozart/assert (2.4.0): Extracting archive
- Installing phpstan/phpdoc-parser (2.3.2): Extracting archive
- Installing phpdocumentor/reflection-common (2.2.0): Extracting archive
- Installing doctrine/deprecations (1.1.6): Extracting archive
- Installing phpdocumentor/type-resolver (2.0.0): Extracting archive
- Installing phpdocumentor/reflection-docblock (6.0.3): Extracting archive
- Installing danog/advanced-json-rpc (v3.2.3): Extracting archive
- Installing psr/log (3.0.2): Extracting archive
- Installing composer/xdebug-handler (3.0.5): Extracting archive
- Installing phan/phan (6.0.2): Extracting archive
- Installing mediawiki/phan-taint-check-plugin (9.1.0): Extracting archive
- Installing mediawiki/mediawiki-phan-config (0.20.0): Extracting archive
- Installing mediawiki/minus-x (2.0.1): Extracting archive
- Installing php-parallel-lint/php-console-color (v1.0.1): Extracting archive
- Installing php-parallel-lint/php-console-highlighter (v1.0.0): Extracting archive
- Installing php-parallel-lint/php-parallel-lint (v1.4.0): Extracting archive
0/36 [>---------------------------] 0%
27/36 [=====================>------] 75%
36/36 [============================] 100%
1 package suggestions were added by new dependencies, use `composer suggest` to see details.
Generating autoload files
17 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
--- stdout ---
PHP CodeSniffer Config installed_paths set to ../../mediawiki/mediawiki-codesniffer,../../phpcsstandards/phpcsextra,../../phpcsstandards/phpcsutils
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"axios": {
"name": "axios",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1097679,
"name": "axios",
"dependency": "axios",
"title": "Axios Cross-Site Request Forgery Vulnerability",
"url": "https://github.com/advisories/GHSA-wf5p-g6vw-rhxx",
"severity": "moderate",
"cwe": [
"CWE-352"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"range": ">=0.8.1 <0.28.0"
},
{
"source": 1111034,
"name": "axios",
"dependency": "axios",
"title": "axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL",
"url": "https://github.com/advisories/GHSA-jr5f-v2jv-69x6",
"severity": "high",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<0.30.0"
},
{
"source": 1116672,
"name": "axios",
"dependency": "axios",
"title": "Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF",
"url": "https://github.com/advisories/GHSA-3p68-rc4w-qgx5",
"severity": "moderate",
"cwe": [
"CWE-441",
"CWE-918"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<0.31.0"
},
{
"source": 1117573,
"name": "axios",
"dependency": "axios",
"title": "Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy",
"url": "https://github.com/advisories/GHSA-w9j2-pvgh-6h63",
"severity": "moderate",
"cwe": [
"CWE-287",
"CWE-1321"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117575,
"name": "axios",
"dependency": "axios",
"title": "Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0",
"url": "https://github.com/advisories/GHSA-pmwg-cvhr-8vh7",
"severity": "high",
"cwe": [
"CWE-183",
"CWE-441",
"CWE-918"
],
"cvss": {
"score": 7.2,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117579,
"name": "axios",
"dependency": "axios",
"title": "Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams",
"url": "https://github.com/advisories/GHSA-xhjh-pmcv-23jw",
"severity": "low",
"cwe": [
"CWE-116",
"CWE-626"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117582,
"name": "axios",
"dependency": "axios",
"title": "Axios: no_proxy bypass via IP alias allows SSRF",
"url": "https://github.com/advisories/GHSA-m7pr-hjqh-92cm",
"severity": "moderate",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 6.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117586,
"name": "axios",
"dependency": "axios",
"title": "Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0",
"url": "https://github.com/advisories/GHSA-5c9x-8gcm-mpgx",
"severity": "moderate",
"cwe": [
"CWE-770"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<=0.31.0"
},
{
"source": 1117588,
"name": "axios",
"dependency": "axios",
"title": "Axios: HTTP adapter streamed responses bypass maxContentLength",
"url": "https://github.com/advisories/GHSA-vf2m-468p-8v99",
"severity": "moderate",
"cwe": [
"CWE-770"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<=0.31.0"
},
{
"source": 1117590,
"name": "axios",
"dependency": "axios",
"title": "Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking",
"url": "https://github.com/advisories/GHSA-pf86-5x62-jrwf",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117592,
"name": "axios",
"dependency": "axios",
"title": "Axios: Header Injection via Prototype Pollution",
"url": "https://github.com/advisories/GHSA-6chq-wfr3-2hj9",
"severity": "high",
"cwe": [
"CWE-113",
"CWE-1321"
],
"cvss": {
"score": 7.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117594,
"name": "axios",
"dependency": "axios",
"title": "Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion",
"url": "https://github.com/advisories/GHSA-xx6v-rp6x-q39c",
"severity": "moderate",
"cwe": [
"CWE-183",
"CWE-201"
],
"cvss": {
"score": 5.4,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117857,
"name": "axios",
"dependency": "axios",
"title": "Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig",
"url": "https://github.com/advisories/GHSA-43fc-jf86-j433",
"severity": "high",
"cwe": [
"CWE-754",
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<=0.30.2"
},
{
"source": 1119403,
"name": "axios",
"dependency": "axios",
"title": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain",
"url": "https://github.com/advisories/GHSA-fvcv-3m26-pcqx",
"severity": "moderate",
"cwe": [
"CWE-113",
"CWE-444",
"CWE-918"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<0.31.0"
},
{
"source": 1119666,
"name": "axios",
"dependency": "axios",
"title": "axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)",
"url": "https://github.com/advisories/GHSA-pjwm-pj3p-43mv",
"severity": "high",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 8.6,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"
},
"range": "<=0.31.1"
},
{
"source": 1119668,
"name": "axios",
"dependency": "axios",
"title": "axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions",
"url": "https://github.com/advisories/GHSA-898c-q2cr-xwhg",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"
},
"range": "<=0.31.1"
},
{
"source": 1119673,
"name": "axios",
"dependency": "axios",
"title": "axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge",
"url": "https://github.com/advisories/GHSA-3g43-6gmg-66jw",
"severity": "high",
"cwe": [
"CWE-94",
"CWE-1321"
],
"cvss": {
"score": 7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L"
},
"range": ">=0.19.0 <0.31.1"
},
{
"source": 1120072,
"name": "axios",
"dependency": "axios",
"title": "Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection",
"url": "https://github.com/advisories/GHSA-hfxv-24rg-xrqf",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<=0.31.1"
},
{
"source": 1120075,
"name": "axios",
"dependency": "axios",
"title": "Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter",
"url": "https://github.com/advisories/GHSA-p92q-9vqr-4j8v",
"severity": "high",
"cwe": [
"CWE-201"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=0.31.1"
},
{
"source": 1120077,
"name": "axios",
"dependency": "axios",
"title": "Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection",
"url": "https://github.com/advisories/GHSA-j5f8-grm9-p9fc",
"severity": "high",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"range": "<=0.31.1"
},
{
"source": 1120124,
"name": "axios",
"dependency": "axios",
"title": "Axios: unbounded recursion in toFormData causes DoS via deeply nested request data",
"url": "https://github.com/advisories/GHSA-62hf-57xw-28j9",
"severity": "moderate",
"cwe": [
"CWE-674"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<=0.31.0"
}
],
"effects": [
"openapi-validator"
],
"range": "<=0.31.1",
"nodes": [
"node_modules/axios"
],
"fixAvailable": {
"name": "chai-openapi-response-validator",
"version": "0.14.1",
"isSemVerMajor": true
}
},
"chai-openapi-response-validator": {
"name": "chai-openapi-response-validator",
"severity": "high",
"isDirect": true,
"via": [
"openapi-validator"
],
"effects": [],
"range": "0.11.2 || >=0.14.2-alpha.0",
"nodes": [
"node_modules/chai-openapi-response-validator"
],
"fixAvailable": {
"name": "chai-openapi-response-validator",
"version": "0.14.1",
"isSemVerMajor": true
}
},
"openapi-validator": {
"name": "openapi-validator",
"severity": "high",
"isDirect": false,
"via": [
"axios"
],
"effects": [
"chai-openapi-response-validator"
],
"range": ">=0.14.2-alpha.0",
"nodes": [
"node_modules/openapi-validator"
],
"fixAvailable": {
"name": "chai-openapi-response-validator",
"version": "0.14.1",
"isSemVerMajor": true
}
},
"qs": {
"name": "qs",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1119502,
"name": "qs",
"dependency": "qs",
"title": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set",
"url": "https://github.com/advisories/GHSA-q8mj-m7cp-5q26",
"severity": "moderate",
"cwe": [
"CWE-476"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=6.11.1 <=6.15.1"
}
],
"effects": [],
"range": "6.11.1 - 6.15.1",
"nodes": [
"node_modules/qs"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 1,
"high": 3,
"critical": 0,
"total": 4
},
"dependencies": {
"prod": 1,
"dev": 547,
"optional": 0,
"peer": 1,
"peerOptional": 0,
"total": 547
}
}
}
--- end ---
Attempting to npm audit fix
$ /usr/bin/npm audit fix --dry-run --only=dev --json
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
--- stdout ---
{
"added": 547,
"removed": 0,
"changed": 0,
"audited": 548,
"funding": 131,
"audit": {
"auditReportVersion": 2,
"vulnerabilities": {
"axios": {
"name": "axios",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1097679,
"name": "axios",
"dependency": "axios",
"title": "Axios Cross-Site Request Forgery Vulnerability",
"url": "https://github.com/advisories/GHSA-wf5p-g6vw-rhxx",
"severity": "moderate",
"cwe": [
"CWE-352"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"range": ">=0.8.1 <0.28.0"
},
{
"source": 1111034,
"name": "axios",
"dependency": "axios",
"title": "axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL",
"url": "https://github.com/advisories/GHSA-jr5f-v2jv-69x6",
"severity": "high",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<0.30.0"
},
{
"source": 1116672,
"name": "axios",
"dependency": "axios",
"title": "Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF",
"url": "https://github.com/advisories/GHSA-3p68-rc4w-qgx5",
"severity": "moderate",
"cwe": [
"CWE-441",
"CWE-918"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<0.31.0"
},
{
"source": 1117573,
"name": "axios",
"dependency": "axios",
"title": "Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy",
"url": "https://github.com/advisories/GHSA-w9j2-pvgh-6h63",
"severity": "moderate",
"cwe": [
"CWE-287",
"CWE-1321"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117575,
"name": "axios",
"dependency": "axios",
"title": "Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0",
"url": "https://github.com/advisories/GHSA-pmwg-cvhr-8vh7",
"severity": "high",
"cwe": [
"CWE-183",
"CWE-441",
"CWE-918"
],
"cvss": {
"score": 7.2,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117579,
"name": "axios",
"dependency": "axios",
"title": "Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams",
"url": "https://github.com/advisories/GHSA-xhjh-pmcv-23jw",
"severity": "low",
"cwe": [
"CWE-116",
"CWE-626"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117582,
"name": "axios",
"dependency": "axios",
"title": "Axios: no_proxy bypass via IP alias allows SSRF",
"url": "https://github.com/advisories/GHSA-m7pr-hjqh-92cm",
"severity": "moderate",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 6.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117586,
"name": "axios",
"dependency": "axios",
"title": "Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0",
"url": "https://github.com/advisories/GHSA-5c9x-8gcm-mpgx",
"severity": "moderate",
"cwe": [
"CWE-770"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<=0.31.0"
},
{
"source": 1117588,
"name": "axios",
"dependency": "axios",
"title": "Axios: HTTP adapter streamed responses bypass maxContentLength",
"url": "https://github.com/advisories/GHSA-vf2m-468p-8v99",
"severity": "moderate",
"cwe": [
"CWE-770"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<=0.31.0"
},
{
"source": 1117590,
"name": "axios",
"dependency": "axios",
"title": "Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking",
"url": "https://github.com/advisories/GHSA-pf86-5x62-jrwf",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117592,
"name": "axios",
"dependency": "axios",
"title": "Axios: Header Injection via Prototype Pollution",
"url": "https://github.com/advisories/GHSA-6chq-wfr3-2hj9",
"severity": "high",
"cwe": [
"CWE-113",
"CWE-1321"
],
"cvss": {
"score": 7.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117594,
"name": "axios",
"dependency": "axios",
"title": "Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion",
"url": "https://github.com/advisories/GHSA-xx6v-rp6x-q39c",
"severity": "moderate",
"cwe": [
"CWE-183",
"CWE-201"
],
"cvss": {
"score": 5.4,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117857,
"name": "axios",
"dependency": "axios",
"title": "Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig",
"url": "https://github.com/advisories/GHSA-43fc-jf86-j433",
"severity": "high",
"cwe": [
"CWE-754",
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<=0.30.2"
},
{
"source": 1119403,
"name": "axios",
"dependency": "axios",
"title": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain",
"url": "https://github.com/advisories/GHSA-fvcv-3m26-pcqx",
"severity": "moderate",
"cwe": [
"CWE-113",
"CWE-444",
"CWE-918"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<0.31.0"
},
{
"source": 1119666,
"name": "axios",
"dependency": "axios",
"title": "axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)",
"url": "https://github.com/advisories/GHSA-pjwm-pj3p-43mv",
"severity": "high",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 8.6,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"
},
"range": "<=0.31.1"
},
{
"source": 1119668,
"name": "axios",
"dependency": "axios",
"title": "axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions",
"url": "https://github.com/advisories/GHSA-898c-q2cr-xwhg",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"
},
"range": "<=0.31.1"
},
{
"source": 1119673,
"name": "axios",
"dependency": "axios",
"title": "axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge",
"url": "https://github.com/advisories/GHSA-3g43-6gmg-66jw",
"severity": "high",
"cwe": [
"CWE-94",
"CWE-1321"
],
"cvss": {
"score": 7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L"
},
"range": ">=0.19.0 <0.31.1"
},
{
"source": 1120072,
"name": "axios",
"dependency": "axios",
"title": "Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection",
"url": "https://github.com/advisories/GHSA-hfxv-24rg-xrqf",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<=0.31.1"
},
{
"source": 1120075,
"name": "axios",
"dependency": "axios",
"title": "Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter",
"url": "https://github.com/advisories/GHSA-p92q-9vqr-4j8v",
"severity": "high",
"cwe": [
"CWE-201"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=0.31.1"
},
{
"source": 1120077,
"name": "axios",
"dependency": "axios",
"title": "Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection",
"url": "https://github.com/advisories/GHSA-j5f8-grm9-p9fc",
"severity": "high",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"range": "<=0.31.1"
},
{
"source": 1120124,
"name": "axios",
"dependency": "axios",
"title": "Axios: unbounded recursion in toFormData causes DoS via deeply nested request data",
"url": "https://github.com/advisories/GHSA-62hf-57xw-28j9",
"severity": "moderate",
"cwe": [
"CWE-674"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<=0.31.0"
}
],
"effects": [
"openapi-validator"
],
"range": "<=0.31.1",
"nodes": [
"node_modules/axios"
],
"fixAvailable": {
"name": "chai-openapi-response-validator",
"version": "0.14.1",
"isSemVerMajor": true
}
},
"chai-openapi-response-validator": {
"name": "chai-openapi-response-validator",
"severity": "high",
"isDirect": true,
"via": [
"openapi-validator"
],
"effects": [],
"range": "0.11.2 || >=0.14.2-alpha.0",
"nodes": [
"node_modules/chai-openapi-response-validator"
],
"fixAvailable": {
"name": "chai-openapi-response-validator",
"version": "0.14.1",
"isSemVerMajor": true
}
},
"openapi-validator": {
"name": "openapi-validator",
"severity": "high",
"isDirect": false,
"via": [
"axios"
],
"effects": [
"chai-openapi-response-validator"
],
"range": ">=0.14.2-alpha.0",
"nodes": [
"node_modules/openapi-validator"
],
"fixAvailable": {
"name": "chai-openapi-response-validator",
"version": "0.14.1",
"isSemVerMajor": true
}
},
"qs": {
"name": "qs",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1119502,
"name": "qs",
"dependency": "qs",
"title": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set",
"url": "https://github.com/advisories/GHSA-q8mj-m7cp-5q26",
"severity": "moderate",
"cwe": [
"CWE-476"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=6.11.1 <=6.15.1"
}
],
"effects": [],
"range": "6.11.1 - 6.15.1",
"nodes": [
""
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 1,
"high": 3,
"critical": 0,
"total": 4
},
"dependencies": {
"prod": 1,
"dev": 547,
"optional": 0,
"peer": 1,
"peerOptional": 0,
"total": 547
}
}
}
}
--- end ---
{"added": 547, "removed": 0, "changed": 0, "audited": 548, "funding": 131, "audit": {"auditReportVersion": 2, "vulnerabilities": {"axios": {"name": "axios", "severity": "high", "isDirect": false, "via": [{"source": 1097679, "name": "axios", "dependency": "axios", "title": "Axios Cross-Site Request Forgery Vulnerability", "url": "https://github.com/advisories/GHSA-wf5p-g6vw-rhxx", "severity": "moderate", "cwe": ["CWE-352"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}, "range": ">=0.8.1 <0.28.0"}, {"source": 1111034, "name": "axios", "dependency": "axios", "title": "axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL", "url": "https://github.com/advisories/GHSA-jr5f-v2jv-69x6", "severity": "high", "cwe": ["CWE-918"], "cvss": {"score": 0, "vectorString": null}, "range": "<0.30.0"}, {"source": 1116672, "name": "axios", "dependency": "axios", "title": "Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF", "url": "https://github.com/advisories/GHSA-3p68-rc4w-qgx5", "severity": "moderate", "cwe": ["CWE-441", "CWE-918"], "cvss": {"score": 4.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "range": "<0.31.0"}, {"source": 1117573, "name": "axios", "dependency": "axios", "title": "Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy", "url": "https://github.com/advisories/GHSA-w9j2-pvgh-6h63", "severity": "moderate", "cwe": ["CWE-287", "CWE-1321"], "cvss": {"score": 4.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "range": "<=0.31.0"}, {"source": 1117575, "name": "axios", "dependency": "axios", "title": "Axios: Incomplete Fix for CVE-2025-62718 \u2014 NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0", "url": "https://github.com/advisories/GHSA-pmwg-cvhr-8vh7", "severity": "high", "cwe": ["CWE-183", "CWE-441", "CWE-918"], "cvss": {"score": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}, "range": "<=0.31.0"}, {"source": 1117579, "name": "axios", "dependency": "axios", "title": "Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams", "url": "https://github.com/advisories/GHSA-xhjh-pmcv-23jw", "severity": "low", "cwe": ["CWE-116", "CWE-626"], "cvss": {"score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "range": "<=0.31.0"}, {"source": 1117582, "name": "axios", "dependency": "axios", "title": "Axios: no_proxy bypass via IP alias allows SSRF", "url": "https://github.com/advisories/GHSA-m7pr-hjqh-92cm", "severity": "moderate", "cwe": ["CWE-918"], "cvss": {"score": 6.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"}, "range": "<=0.31.0"}, {"source": 1117586, "name": "axios", "dependency": "axios", "title": "Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0", "url": "https://github.com/advisories/GHSA-5c9x-8gcm-mpgx", "severity": "moderate", "cwe": ["CWE-770"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": "<=0.31.0"}, {"source": 1117588, "name": "axios", "dependency": "axios", "title": "Axios: HTTP adapter streamed responses bypass maxContentLength", "url": "https://github.com/advisories/GHSA-vf2m-468p-8v99", "severity": "moderate", "cwe": ["CWE-770"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": "<=0.31.0"}, {"source": 1117590, "name": "axios", "dependency": "axios", "title": "Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking", "url": "https://github.com/advisories/GHSA-pf86-5x62-jrwf", "severity": "high", "cwe": ["CWE-1321"], "cvss": {"score": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}, "range": "<=0.31.0"}, {"source": 1117592, "name": "axios", "dependency": "axios", "title": "Axios: Header Injection via Prototype Pollution", "url": "https://github.com/advisories/GHSA-6chq-wfr3-2hj9", "severity": "high", "cwe": ["CWE-113", "CWE-1321"], "cvss": {"score": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}, "range": "<=0.31.0"}, {"source": 1117594, "name": "axios", "dependency": "axios", "title": "Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion", "url": "https://github.com/advisories/GHSA-xx6v-rp6x-q39c", "severity": "moderate", "cwe": ["CWE-183", "CWE-201"], "cvss": {"score": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}, "range": "<=0.31.0"}, {"source": 1117857, "name": "axios", "dependency": "axios", "title": "Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig", "url": "https://github.com/advisories/GHSA-43fc-jf86-j433", "severity": "high", "cwe": ["CWE-754", "CWE-1321"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<=0.30.2"}, {"source": 1119403, "name": "axios", "dependency": "axios", "title": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain", "url": "https://github.com/advisories/GHSA-fvcv-3m26-pcqx", "severity": "moderate", "cwe": ["CWE-113", "CWE-444", "CWE-918"], "cvss": {"score": 4.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "range": "<0.31.0"}, {"source": 1119666, "name": "axios", "dependency": "axios", "title": "axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)", "url": "https://github.com/advisories/GHSA-pjwm-pj3p-43mv", "severity": "high", "cwe": ["CWE-918"], "cvss": {"score": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"}, "range": "<=0.31.1"}, {"source": 1119668, "name": "axios", "dependency": "axios", "title": "axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions", "url": "https://github.com/advisories/GHSA-898c-q2cr-xwhg", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 4.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"}, "range": "<=0.31.1"}, {"source": 1119673, "name": "axios", "dependency": "axios", "title": "axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge", "url": "https://github.com/advisories/GHSA-3g43-6gmg-66jw", "severity": "high", "cwe": ["CWE-94", "CWE-1321"], "cvss": {"score": 7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L"}, "range": ">=0.19.0 <0.31.1"}, {"source": 1120072, "name": "axios", "dependency": "axios", "title": "Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection", "url": "https://github.com/advisories/GHSA-hfxv-24rg-xrqf", "severity": "high", "cwe": ["CWE-400", "CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<=0.31.1"}, {"source": 1120075, "name": "axios", "dependency": "axios", "title": "Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter", "url": "https://github.com/advisories/GHSA-p92q-9vqr-4j8v", "severity": "high", "cwe": ["CWE-201"], "cvss": {"score": 0, "vectorString": null}, "range": "<=0.31.1"}, {"source": 1120077, "name": "axios", "dependency": "axios", "title": "Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection", "url": "https://github.com/advisories/GHSA-j5f8-grm9-p9fc", "severity": "high", "cwe": ["CWE-200"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "range": "<=0.31.1"}, {"source": 1120124, "name": "axios", "dependency": "axios", "title": "Axios: unbounded recursion in toFormData causes DoS via deeply nested request data", "url": "https://github.com/advisories/GHSA-62hf-57xw-28j9", "severity": "moderate", "cwe": ["CWE-674"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<=0.31.0"}], "effects": ["openapi-validator"], "range": "<=0.31.1", "nodes": ["node_modules/axios"], "fixAvailable": {"name": "chai-openapi-response-validator", "version": "0.14.1", "isSemVerMajor": true}}, "chai-openapi-response-validator": {"name": "chai-openapi-response-validator", "severity": "high", "isDirect": true, "via": ["openapi-validator"], "effects": [], "range": "0.11.2 || >=0.14.2-alpha.0", "nodes": ["node_modules/chai-openapi-response-validator"], "fixAvailable": {"name": "chai-openapi-response-validator", "version": "0.14.1", "isSemVerMajor": true}}, "openapi-validator": {"name": "openapi-validator", "severity": "high", "isDirect": false, "via": ["axios"], "effects": ["chai-openapi-response-validator"], "range": ">=0.14.2-alpha.0", "nodes": ["node_modules/openapi-validator"], "fixAvailable": {"name": "chai-openapi-response-validator", "version": "0.14.1", "isSemVerMajor": true}}, "qs": {"name": "qs", "severity": "moderate", "isDirect": false, "via": [{"source": 1119502, "name": "qs", "dependency": "qs", "title": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set", "url": "https://github.com/advisories/GHSA-q8mj-m7cp-5q26", "severity": "moderate", "cwe": ["CWE-476"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": ">=6.11.1 <=6.15.1"}], "effects": [], "range": "6.11.1 - 6.15.1", "nodes": [""], "fixAvailable": true}}, "metadata": {"vulnerabilities": {"info": 0, "low": 0, "moderate": 1, "high": 3, "critical": 0, "total": 4}, "dependencies": {"prod": 1, "dev": 547, "optional": 0, "peer": 1, "peerOptional": 0, "total": 547}}}}
$ /usr/bin/npm audit fix --only=dev
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
npm WARN deprecated osenv@0.1.5: This package is no longer supported.
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated glob@7.1.7: Glob versions prior to v9 are no longer supported
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 547 packages, and audited 548 packages in 6s
131 packages are looking for funding
run `npm fund` for details
# npm audit report
axios <=0.31.1
Severity: high
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - https://github.com/advisories/GHSA-jr5f-v2jv-69x6
Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF - https://github.com/advisories/GHSA-3p68-rc4w-qgx5
Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy - https://github.com/advisories/GHSA-w9j2-pvgh-6h63
Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 - https://github.com/advisories/GHSA-pmwg-cvhr-8vh7
Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams - https://github.com/advisories/GHSA-xhjh-pmcv-23jw
Axios: no_proxy bypass via IP alias allows SSRF - https://github.com/advisories/GHSA-m7pr-hjqh-92cm
Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 - https://github.com/advisories/GHSA-5c9x-8gcm-mpgx
Axios: HTTP adapter streamed responses bypass maxContentLength - https://github.com/advisories/GHSA-vf2m-468p-8v99
Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking - https://github.com/advisories/GHSA-pf86-5x62-jrwf
Axios: Header Injection via Prototype Pollution - https://github.com/advisories/GHSA-6chq-wfr3-2hj9
Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion - https://github.com/advisories/GHSA-xx6v-rp6x-q39c
Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig - https://github.com/advisories/GHSA-43fc-jf86-j433
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain - https://github.com/advisories/GHSA-fvcv-3m26-pcqx
axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) - https://github.com/advisories/GHSA-pjwm-pj3p-43mv
axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions - https://github.com/advisories/GHSA-898c-q2cr-xwhg
axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge - https://github.com/advisories/GHSA-3g43-6gmg-66jw
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection - https://github.com/advisories/GHSA-hfxv-24rg-xrqf
Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter - https://github.com/advisories/GHSA-p92q-9vqr-4j8v
Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection - https://github.com/advisories/GHSA-j5f8-grm9-p9fc
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data - https://github.com/advisories/GHSA-62hf-57xw-28j9
fix available via `npm audit fix --force`
Will install chai-openapi-response-validator@0.14.1, which is a breaking change
node_modules/axios
openapi-validator >=0.14.2-alpha.0
Depends on vulnerable versions of axios
node_modules/openapi-validator
chai-openapi-response-validator 0.11.2 || >=0.14.2-alpha.0
Depends on vulnerable versions of openapi-validator
node_modules/chai-openapi-response-validator
3 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
--- end ---
Verifying that tests still pass
$ /usr/bin/npm ci
--- stderr ---
npm WARN deprecated osenv@0.1.5: This package is no longer supported.
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated glob@7.1.7: Glob versions prior to v9 are no longer supported
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 547 packages, and audited 548 packages in 7s
131 packages are looking for funding
run `npm fund` for details
3 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
--- end ---
$ /usr/bin/npm test
--- stdout ---
> test
> grunt test
Running "eslint:all" (eslint) task
Running "stylelint:all" (stylelint) task
>> Linted 0 files without errors
Running "banana:WikimediaCustomizations" (banana) task
>> 2 message directories checked.
Done.
--- end ---
{"1119502": {"source": 1119502, "name": "qs", "dependency": "qs", "title": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set", "url": "https://github.com/advisories/GHSA-q8mj-m7cp-5q26", "severity": "moderate", "cwe": ["CWE-476"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": ">=6.11.1 <=6.15.1"}}
Upgrading n:qs from 6.15.0 -> 6.15.2
$ package-lock-lint /src/repo/package-lock.json
--- stdout ---
Checking /src/repo/package-lock.json
--- end ---
build: Updating qs to 6.15.2
* https://github.com/advisories/GHSA-q8mj-m7cp-5q26
$ git add .
--- stdout ---
--- end ---
$ git commit -F /tmp/tmpbhi3z9w0
--- stdout ---
[REL1_46 5005328] build: Updating qs to 6.15.2
1 file changed, 3 insertions(+), 4 deletions(-)
--- end ---
$ git format-patch HEAD~1 --stdout
--- stdout ---
From 50053289272362d79ded16d1b7533b488d89e208 Mon Sep 17 00:00:00 2001
From: libraryupgrader <tools.libraryupgrader@tools.wmflabs.org>
Date: Wed, 10 Jun 2026 13:22:38 +0000
Subject: [PATCH] build: Updating qs to 6.15.2
* https://github.com/advisories/GHSA-q8mj-m7cp-5q26
Change-Id: I1a32a2187dd16852c5290f75a1c8ede774d9d851
---
package-lock.json | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/package-lock.json b/package-lock.json
index 5e6bee0..fa66b97 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -5157,11 +5157,10 @@
}
},
"node_modules/qs": {
- "version": "6.15.0",
- "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.0.tgz",
- "integrity": "sha512-mAZTtNCeetKMH+pSjrb76NAM8V9a05I9aBZOHztWy/UqcJdQYNsf59vrRKWnojAT9Y+GbIvoTBC++CPHqpDBhQ==",
+ "version": "6.15.2",
+ "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.2.tgz",
+ "integrity": "sha512-Rzq0KEyX/w/tEybncDgdkZrJgVUsUMk3xjh3t5bv3S1HTAtg+uOYt72+ZfwiQwKdysThkTBdL/rTi6HDmX9Ddw==",
"dev": true,
- "license": "BSD-3-Clause",
"dependencies": {
"side-channel": "^1.1.0"
},
--
2.47.3
--- end ---