chore(deps): Update Yarn dependencies (security-updates) by nielsdrost7 · Pull Request #422 · InvoicePlane/InvoicePlane-v2

nielsdrost7 · 2026-02-23T10:26:12Z

Yarn Dependency Update

This PR updates Yarn (npm) dependencies.

Update Type: security-updates
Triggered by: schedule

Lock File Status

✓ No lock file conflicts detected.

Updated Packages

╔═══════════════════════════════════════════════════════════════╗
║                    Package Update Report                     ║
╚═══════════════════════════════════════════════════════════════╝

📦 DIRECT DEPENDENCIES (from package.json)
─────────────────────────────────────────────────────────────────

  ✓ axios
    1.13.2 → 1.13.5


═════════════════════════════════════════════════════════════════
SUMMARY: 1 direct, 0 transitive (1 total)
═════════════════════════════════════════════════════════════════

Checks Performed

Assets built successfully
Dependencies installed and verified
Lock file conflicts checked

Security Audit

1 security vulnerabilities detected. Please review audit-report.json.

Review Checklist

Review updated packages and their changelogs
Verify assets build correctly
Check for breaking changes in frontend
Test UI changes in development environment
Verify no console errors in browser

This PR was automatically created by the Yarn Update workflow.

Summary by CodeRabbit

Bug Fixes
- Updated axios dependency to version 1.13.5
Chores
- Restructured audit report format with organized vulnerability summary
- Enhanced package update report presentation with improved formatting and dependency tracking

coderabbitai · 2026-02-23T10:26:30Z

📝 Walkthrough

Walkthrough

The pull request updates the axios dependency from version 1.13.2 to 1.13.5 in package.json and introduces audit advisory data detailing a CVE vulnerability, along with restructured audit report formatting and a reformatted package update report with ASCII art styling.

Changes

Cohort / File(s)	Summary
Audit Data Files `audit-before.json`, `audit-report.json`	Introduces detailed audit advisory data for CVE-2026-25639 (axios vulnerability) with resolution metadata, findings, and references. Restructures audit format from simple to explicit auditAdvisory and auditSummary objects with vulnerability counts and dependency metadata.
Dependency Configuration `package.json`	Updates axios devDependency from ^1.13.2 to ^1.13.5.
Report Formatting `updated-packages.txt`	Reformats package update report with ASCII art header, stylized "Package Update Report" section, simplified dependency indicator (axios 1.13.2 → 1.13.5), and added SUMMARY block showing aggregated counts.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Axios bounds up with a safety leap,
From 1.13.2 to heights so steep,
Audit trails show what shadows hide,
Vulnerabilities laid open wide,
Dependencies refreshed with care! 🔐

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: updating Yarn dependencies for security purposes, which aligns with the axios vulnerability fix (CVE-2026-25639) from version 1.13.2 to 1.13.5.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment
Commit unit tests in branch automated/yarn-update-20

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@audit-report.json`:
- Around line 1-2: The audit-report.json was not regenerated after upgrading
axios; re-run the package install and audit commands and replace the stale
audit-report.json with the fresh output so it verifies axios is >=1.13.5. Run
the install (yarn install or npm ci), then run the audit command that your repo
uses (yarn audit --json or npm audit --json) and write the JSON output to
audit-report.json, ensuring the report's dependencies summary and the axios
advisory entry reflect the patched version (check package.json/yarn.lock and the
advisory entry for axios and CVE-2026-25639).

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ba54801 and ea1569a.

⛔ Files ignored due to path filters (1)

yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (4)

audit-before.json
audit-report.json
package.json
updated-packages.txt

coderabbitai · 2026-02-23T10:29:29Z

audit-report.json

+{"type":"auditAdvisory","data":{"resolution":{"id":1113275,"path":"axios","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.13.2","paths":["axios"]}],"found_by":null,"deleted":null,"references":"- https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433\n- https://github.com/axios/axios/pull/7369\n- https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57\n- https://github.com/axios/axios/releases/tag/v1.13.5\n- https://nvd.nist.gov/vuln/detail/CVE-2026-25639\n- https://github.com/axios/axios/pull/7388\n- https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e\n- https://github.com/axios/axios/releases/tag/v0.30.3\n- https://github.com/advisories/GHSA-43fc-jf86-j433","created":"2026-02-09T17:46:14.000Z","id":1113275,"npm_advisory_id":null,"overview":"# Denial of Service via **proto** Key in mergeConfig\n\n### Summary\n\nThe `mergeConfig` function in axios crashes with a TypeError when processing configuration objects containing `__proto__` as an own property. An attacker can trigger this by providing a malicious configuration object created via `JSON.parse()`, causing complete denial of service.\n\n### Details\n\nThe vulnerability exists in `lib/core/mergeConfig.js` at lines 98-101:\n\n```javascript\nutils.forEach(Object.keys({ ...config1, ...config2 }), function computeConfigValue(prop) {\n  const merge = mergeMap[prop] || mergeDeepProperties;\n  const configValue = merge(config1[prop], config2[prop], prop);\n  (utils.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue);\n});\n```\n\nWhen `prop` is `'__proto__'`:\n\n1. `JSON.parse('{\"__proto__\": {...}}')` creates an object with `__proto__` as an own enumerable property\n2. `Object.keys()` includes `'__proto__'` in the iteration\n3. `mergeMap['__proto__']` performs prototype chain lookup, returning `Object.prototype` (truthy object)\n4. The expression `mergeMap[prop] || mergeDeepProperties` evaluates to `Object.prototype`\n5. `Object.prototype(...)` throws `TypeError: merge is not a function`\n\nThe `mergeConfig` function is called by:\n\n- `Axios._request()` at `lib/core/Axios.js:75`\n- `Axios.getUri()` at `lib/core/Axios.js:201`\n- All HTTP method shortcuts (`get`, `post`, etc.) at `lib/core/Axios.js:211,224`\n\n### PoC\n\n```javascript\nimport axios from \"axios\";\n\nconst maliciousConfig = JSON.parse('{\"__proto__\": {\"x\": 1}}');\nawait axios.get(\"https://httpbin.org/get\", maliciousConfig);\n```\n\n**Reproduction steps:**\n\n1. Clone axios repository or `npm install axios`\n2. Create file `poc.mjs` with the code above\n3. Run: `node poc.mjs`\n4. Observe the TypeError crash\n\n**Verified output (axios 1.13.4):**\n\n```\nTypeError: merge is not a function\n    at computeConfigValue (lib/core/mergeConfig.js:100:25)\n    at Object.forEach (lib/utils.js:280:10)\n    at mergeConfig (lib/core/mergeConfig.js:98:9)\n```\n\n**Control tests performed:**\n| Test | Config | Result |\n|------|--------|--------|\n| Normal config | `{\"timeout\": 5000}` | SUCCESS |\n| Malicious config | `JSON.parse('{\"__proto__\": {\"x\": 1}}')` | **CRASH** |\n| Nested object | `{\"headers\": {\"X-Test\": \"value\"}}` | SUCCESS |\n\n**Attack scenario:**\nAn application that accepts user input, parses it with `JSON.parse()`, and passes it to axios configuration will crash when receiving the payload `{\"__proto__\": {\"x\": 1}}`.\n\n### Impact\n\n**Denial of Service** - Any application using axios that processes user-controlled JSON and passes it to axios configuration methods is vulnerable. The application will crash when processing the malicious payload.\n\nAffected environments:\n\n- Node.js servers using axios for HTTP requests\n- Any backend that passes parsed JSON to axios configuration\n\nThis is NOT prototype pollution - the application crashes before any assignment occurs.","reported_by":null,"title":"Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig","metadata":null,"cves":["CVE-2026-25639"],"access":"public","severity":"high","module_name":"axios","vulnerable_versions":">=1.0.0 <=1.13.4","github_advisory_id":"GHSA-43fc-jf86-j433","recommendation":"Upgrade to version 1.13.5 or later","patched_versions":">=1.13.5","updated":"2026-02-18T17:16:29.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-754"],"url":"https://github.com/advisories/GHSA-43fc-jf86-j433"}}}
+{"type":"auditSummary","data":{"vulnerabilities":{"info":0,"low":0,"moderate":0,"high":1,"critical":0},"dependencies":156,"devDependencies":0,"optionalDependencies":0,"totalDependencies":156}}


⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash # Compare audit-before.json and audit-report.json to check if they differ echo "=== Diffing audit-before.json and audit-report.json ===" diff audit-before.json audit-report.json && echo "Files are IDENTICAL" || echo "Files DIFFER" echo "" echo "=== Check yarn.lock for axios version ===" if [ -f yarn.lock ]; then echo "yarn.lock exists. Searching for axios entries..." rg 'axios@' yarn.lock | head -20 else echo "yarn.lock not found" fi echo "" echo "=== Check package.json for axios version ===" rg '"axios"' package.json

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 328

Regenerate audit-report.json after updating dependencies — it was not re-run post-update.

The audit-report.json file is identical to audit-before.json and still shows the vulnerability as present (axios 1.13.2, high: 1 in summary), even though package.json and yarn.lock have both been correctly updated to axios ^1.13.5. The post-update audit was not regenerated, so the report does not verify that the vulnerability has been resolved. Re-run npm audit (or equivalent) after yarn install to confirm the fix is effective.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@audit-report.json` around lines 1 - 2, The audit-report.json was not regenerated after upgrading axios; re-run the package install and audit commands and replace the stale audit-report.json with the fresh output so it verifies axios is >=1.13.5. Run the install (yarn install or npm ci), then run the audit command that your repo uses (yarn audit --json or npm audit --json) and write the JSON output to audit-report.json, ensuring the report's dependencies summary and the axios advisory entry reflect the patched version (check package.json/yarn.lock and the advisory entry for axios and CVE-2026-25639).

chore(deps): update Yarn dependencies (security-updates)

ea1569a

nielsdrost7 added automated-pr dependencies yarn labels Feb 23, 2026

coderabbitai bot reviewed Feb 23, 2026

View reviewed changes

nielsdrost7 closed this Feb 24, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): Update Yarn dependencies (security-updates)#422

chore(deps): Update Yarn dependencies (security-updates)#422
nielsdrost7 wants to merge 1 commit intodevelopfrom
automated/yarn-update-20

nielsdrost7 commented Feb 23, 2026 •

edited by coderabbitai bot

Loading

Uh oh!

coderabbitai bot commented Feb 23, 2026 •

edited

Loading

Walkthrough

Changes

Estimated code review effort

Poem

Uh oh!

coderabbitai bot left a comment

Uh oh!

coderabbitai bot Feb 23, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

		{"type":"auditAdvisory","data":{"resolution":{"id":1113275,"path":"axios","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.13.2","paths":["axios"]}],"found_by":null,"deleted":null,"references":"- https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433\n- https://github.com/axios/axios/pull/7369\n- https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57\n- https://github.com/axios/axios/releases/tag/v1.13.5\n- https://nvd.nist.gov/vuln/detail/CVE-2026-25639\n- https://github.com/axios/axios/pull/7388\n- https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e\n- https://github.com/axios/axios/releases/tag/v0.30.3\n- https://github.com/advisories/GHSA-43fc-jf86-j433","created":"2026-02-09T17:46:14.000Z","id":1113275,"npm_advisory_id":null,"overview":"# Denial of Service via proto Key in mergeConfig\n\n### Summary\n\nThe `mergeConfig` function in axios crashes with a TypeError when processing configuration objects containing `__proto__` as an own property. An attacker can trigger this by providing a malicious configuration object created via `JSON.parse()`, causing complete denial of service.\n\n### Details\n\nThe vulnerability exists in `lib/core/mergeConfig.js` at lines 98-101:\n\n```javascript\nutils.forEach(Object.keys({ ...config1, ...config2 }), function computeConfigValue(prop) {\n const merge = mergeMap[prop] \|\| mergeDeepProperties;\n const configValue = merge(config1[prop], config2[prop], prop);\n (utils.isUndefined(configValue) && merge !== mergeDirectKeys) \|\| (config[prop] = configValue);\n});\n```\n\nWhen `prop` is `'__proto__'`:\n\n1. `JSON.parse('{\"__proto__\": {...}}')` creates an object with `__proto__` as an own enumerable property\n2. `Object.keys()` includes `'__proto__'` in the iteration\n3. `mergeMap['__proto__']` performs prototype chain lookup, returning `Object.prototype` (truthy object)\n4. The expression `mergeMap[prop] \|\| mergeDeepProperties` evaluates to `Object.prototype`\n5. `Object.prototype(...)` throws `TypeError: merge is not a function`\n\nThe `mergeConfig` function is called by:\n\n- `Axios._request()` at `lib/core/Axios.js:75`\n- `Axios.getUri()` at `lib/core/Axios.js:201`\n- All HTTP method shortcuts (`get`, `post`, etc.) at `lib/core/Axios.js:211,224`\n\n### PoC\n\n```javascript\nimport axios from \"axios\";\n\nconst maliciousConfig = JSON.parse('{\"__proto__\": {\"x\": 1}}');\nawait axios.get(\"https://httpbin.org/get\", maliciousConfig);\n```\n\nReproduction steps:\n\n1. Clone axios repository or `npm install axios`\n2. Create file `poc.mjs` with the code above\n3. Run: `node poc.mjs`\n4. Observe the TypeError crash\n\nVerified output (axios 1.13.4):\n\n```\nTypeError: merge is not a function\n at computeConfigValue (lib/core/mergeConfig.js:100:25)\n at Object.forEach (lib/utils.js:280:10)\n at mergeConfig (lib/core/mergeConfig.js:98:9)\n```\n\nControl tests performed:\n\| Test \| Config \| Result \|\n\|------\|--------\|--------\|\n\| Normal config \| `{\"timeout\": 5000}` \| SUCCESS \|\n\| Malicious config \| `JSON.parse('{\"__proto__\": {\"x\": 1}}')` \| CRASH \|\n\| Nested object \| `{\"headers\": {\"X-Test\": \"value\"}}` \| SUCCESS \|\n\nAttack scenario:\nAn application that accepts user input, parses it with `JSON.parse()`, and passes it to axios configuration will crash when receiving the payload `{\"__proto__\": {\"x\": 1}}`.\n\n### Impact\n\nDenial of Service - Any application using axios that processes user-controlled JSON and passes it to axios configuration methods is vulnerable. The application will crash when processing the malicious payload.\n\nAffected environments:\n\n- Node.js servers using axios for HTTP requests\n- Any backend that passes parsed JSON to axios configuration\n\nThis is NOT prototype pollution - the application crashes before any assignment occurs.","reported_by":null,"title":"Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig","metadata":null,"cves":["CVE-2026-25639"],"access":"public","severity":"high","module_name":"axios","vulnerable_versions":">=1.0.0 <=1.13.4","github_advisory_id":"GHSA-43fc-jf86-j433","recommendation":"Upgrade to version 1.13.5 or later","patched_versions":">=1.13.5","updated":"2026-02-18T17:16:29.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-754"],"url":"https://github.com/advisories/GHSA-43fc-jf86-j433"}}}
		{"type":"auditSummary","data":{"vulnerabilities":{"info":0,"low":0,"moderate":0,"high":1,"critical":0},"dependencies":156,"devDependencies":0,"optionalDependencies":0,"totalDependencies":156}}

Conversation

nielsdrost7 commented Feb 23, 2026 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Yarn Dependency Update

Lock File Status

Updated Packages

Checks Performed

Security Audit

Review Checklist

Summary by CodeRabbit

Uh oh!

coderabbitai bot commented Feb 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Poem

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Feb 23, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

nielsdrost7 commented Feb 23, 2026 •

edited by coderabbitai bot

Loading

coderabbitai bot commented Feb 23, 2026 •

edited

Loading