Skip to content

fix(security): upgrade axios to 1.15.0 for GHSA-3p68-rc4w-qgx5#41739

Merged
subrata71 merged 1 commit intoreleasefrom
fix/axios-ghsa-3p68-rc4w-qgx5
Apr 15, 2026
Merged

fix(security): upgrade axios to 1.15.0 for GHSA-3p68-rc4w-qgx5#41739
subrata71 merged 1 commit intoreleasefrom
fix/axios-ghsa-3p68-rc4w-qgx5

Conversation

@subrata71
Copy link
Copy Markdown
Collaborator

@subrata71 subrata71 commented Apr 15, 2026
edited
Loading

Summary

  • Upgrade axios to ^1.15.0 in app/client/package.json and app/client/packages/rts/package.json to remediate GHSA-3p68-rc4w-qgx5 / CVE-2025-62718.
  • Regenerate app/client/yarn.lock so all client workspace consumers (including wait-on) resolve to axios@1.15.0.
  • Add RTS regression coverage in app/client/packages/rts/src/__tests__/axiosNoProxyNormalization.test.ts to verify loopback host variants are not proxied when NO_PROXY is set.

Test plan

  • yarn install --mode=skip-build (from app/client)
  • yarn why axios shows axios@1.15.0 for appsmith, appsmith-rts, and wait-on
  • yarn test:unit (from app/client/packages/rts)
  • yarn lint (from app/client/packages/rts)
  • yarn build (from app/client)
  • npx prettier --write ./src ./cypress (from app/client)
  • npx eslint --fix -c ./cypress/.eslintrc.json --cache ./cypress (from app/client) - command was run multiple times but hangs in this local environment without producing completion output.
  • yarn g:jest src/api/__tests__/apiRequestInterceptors.test.ts src/api/__tests__/apiFailureResponseInterceptors.test.ts src/api/__tests__/apiSucessResponseInterceptors.test.ts (from app/client) - fails in this environment due missing canvas binary (Cannot find module '../build/Release/canvas.node').

Fixes https://linear.app/appsmith/issue/APP-15127/security-critical-dependabot-alert-580-axios-no-proxy-hostname

Summary by CodeRabbit

  • Chores

    • Updated HTTP client library dependencies across packages to the latest compatible version for improved stability and performance.

  • Tests

    • Added test coverage for proxy configuration normalization behavior to ensure reliable network connectivity.

Automation

/ok-to-test tags="@tag.All"

Tip

🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/24443669428
Commit: ce5b569
Cypress dashboard.
Tags: @tag.All
Spec:

Wed, 15 Apr 2026 09:39:49 UTC

@subrata71
fix(security): upgrade axios to patched version
ce5b569 
Upgrade axios to 1.15.0 across client workspaces to remediate GHSA-3p68-rc4w-qgx5/CVE-2025-62718 and add an RTS regression test covering NO_PROXY loopback normalization behavior.
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Apr 15, 2026
edited
Loading

Walkthrough

Updated axios dependency from ^1.12.0 to ^1.15.0 across multiple package.json files and added a new Jest test validating axios NO_PROXY normalization behavior for loopback host variants with environment variable restoration and proxy request verification.

Changes

Cohort / File(s) Summary
Axios Dependency Updates
app/client/package.json, app/client/packages/rts/package.json		 Upgraded axios from ^1.12.0 to ^1.15.0 across main and RTS package configurations, including resolutions section.
Test Suite
app/client/packages/rts/src/__tests__/axiosNoProxyNormalization.test.ts		 Added Jest test validating axios NO_PROXY normalization for loopback variants with environment variable capture/restore and zero proxy request assertions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

Suggested labels

Bug, ok-to-test

Suggested reviewers

  • riodeuno
  • ashit-rath

Poem

🚀 Axios climbs from one-two to one-five,
NO_PROXY normalization comes alive,
Loopback hosts verified with care,
Proxy attempts? None sneak through there! ✨

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title directly describes the main security fix: upgrading axios to address a specific CVE vulnerability.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check ✅ Passed PR description includes objectives, test plan with detailed status, and Cypress results, but lacks explicit issue reference and DevRel communication checkbox.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/axios-ghsa-3p68-rc4w-qgx5

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@subrata71 subrata71 self-assigned this Apr 15, 2026
@subrata71 subrata71 added the ok-to-test Required label for CI label Apr 15, 2026
@linear
Copy link
Copy Markdown

linear bot commented Apr 15, 2026

APP-15127 [Security] [CRITICAL] Dependabot alert #580: Axios NO_PROXY hostname normalization bypass (SSRF)

@subrata71 subrata71 merged commit 8b2fe62 into release Apr 15, 2026
92 checks passed
@subrata71 subrata71 deleted the fix/axios-ghsa-3p68-rc4w-qgx5 branch April 15, 2026 10:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@KelvinOm KelvinOm KelvinOm approved these changes

@ashit-rath ashit-rath ashit-rath approved these changes

Assignees

@subrata71 subrata71

Labels

ok-to-test Required label for CI

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@subrata71 @KelvinOm @ashit-rath