Skip to content

[Snyk] Security upgrade axios from 0.19.2 to 1.13.5#49

Open
debug-null wants to merge 1 commit intomasterfrom
snyk-fix-cbbc327065d6a7b695c674fcf949a2b7
Open

[Snyk] Security upgrade axios from 0.19.2 to 1.13.5#49
debug-null wants to merge 1 commit intomasterfrom
snyk-fix-cbbc327065d6a7b695c674fcf949a2b7

Conversation

@debug-null
Copy link
Owner

@debug-null debug-null commented Feb 10, 2026
edited by cursor bot
Loading

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

  • package.json
⚠️ Warning 
Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

Issue Score
high severity Prototype Pollution
SNYK-JS-AXIOS-15252993		   828  

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

Note

Medium Risk
Upgrades axios from 0.19.2 to 1.13.5, which may introduce breaking behavior changes in HTTP request/response handling despite being a security-driven bump.

Overview
Updates the axios production dependency in package.json from ^0.19.2 to ^1.13.5 to address a reported security vulnerability.

Written by Cursor Bugbot for commit 0b3e85a. This will update automatically on new commits. Configure here.

@snyk-bot
fix: package.json to reduce vulnerabilities
0b3e85a 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-AXIOS-15252993
cursor[bot]
cursor bot reviewed Feb 10, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

This PR is being reviewed by Cursor Bugbot

Details

You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

package.json
"homepage": "https://github.com/yeyan1996/file-upload#readme",
"dependencies": {
"axios": "^0.19.2",
"axios": "^1.13.5",
Copy link

@cursor cursor bot Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lockfile not updated, security fix not applied

High Severity

The package.json now requires axios ^1.13.5 but the package-lock.json still resolves to axios-0.19.2.tgz. Running npm ci (standard in CI/CD) will fail because the lockfile doesn't satisfy the new package.json constraint, breaking all builds. If npm install is used instead, it may silently resolve the mismatch, but the commit as-is doesn't actually deliver the security fix. The lockfile needs to be regenerated before merging.

Fix in Cursor Fix in Web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@debug-null @snyk-bot