webchat: override axios to 0.32.0 to remediate GHSA-pjwm-pj3p-43mv

[Copilot]

Description

Dependabot flagged axios@0.21.4 in webchat/package-lock.json as vulnerable to NO_PROXY bypass via IPv4-mapped IPv6 handling (GHSA-pjwm-pj3p-43mv / CVE-2026-44492). This PR moves the resolved axios version to the minimum patched release (0.32.0) with the smallest possible dependency change.

• Dependency remediation

  • Added an npm override in webchat/package.json to force axios to 0.32.0.
  • Regenerated webchat/package-lock.json via npm so the transitive axios resolution is no longer 0.21.4.

• Lockfile outcome

  • node_modules/axios now resolves to 0.32.0 in webchat/package-lock.json.
  • The vulnerable 0.21.4 lockfile resolution is removed.

• Reachability assessment

  • Advisory impact is tied to axios proxy bypass logic (NO_PROXY/HTTP_PROXY) in Node proxy flows.
  • In webchat, axios is transitive (via @twilio/flex-webchat-ui), and no direct NO_PROXY / HTTP_PROXY handling was found in this package’s runtime source.
  • Assessment: no clear direct reachability in webchat application code; update primarily eliminates vulnerable dependency resolution and scanner exposure.
  • Confidence: Medium-High.

{
  "overrides": {
    "axios": "0.32.0"
  }
}

Checklist

• Corresponding issue has been opened
• New tests added
• Feature flags added
• Strings are localized
• Tested for chat contacts
• Tested for call contacts

Other Related Issues

None

Verification steps

1. In /webchat, run dependency resolution and inspect lockfile:
   • npm install
   • confirm webchat/package-lock.json contains node_modules/axios at 0.32.0
2. Confirm effective dependency tree:
   • npm ls axios
   • verify @twilio/flex-webchat-ui resolves to overridden axios@0.32.0

AFTER YOU MERGE

1. Cut a release tag using the Github workflow. Wait for it to complete and notify in the #aselo-deploys Slack channel.
2. Comment on the ticket with the release tag version AND any additional instructions required to configure an environment to test the changes.
3. Only then move the ticket into the QA column in JIRA

You are responsible for ensuring the above steps are completed. If you move a ticket into QA without advising what version to test, the QA team will assume the latest tag has the changes. If it does not, the following confusion is on you! :-P

Original prompt

---

This section details the Dependabot vulnerability alert you should resolve

<alert_title>axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)</alert_title>
<alert_description>### Summary
shouldBypassProxy, introduced in v1.15.0 to fix CVE-2025-62718, does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:1, ::ffff:a9fe:a9fe) still routes through the configured proxy. Node.js resolves these addresses to the underlying IPv4 host, so the request reaches the internal service via the proxy rather than being blocked.

Details

lib/helpers/shouldBypassProxy.js (v1.15.0):

  const LOOPBACK_ADDRESSES = new Set(['localhost', '127.0.0.1', '::1']);                                                                                                      
  const isLoopback = (host) => LOOPBACK_ADDRESSES.has(host);                                                                                                                    
                                                                                                                                                                                
  // normalizeNoProxyHost strips brackets and trailing dots, but not ::ffff: prefix                                                                                             
  return hostname === entryHost || (isLoopback(hostname) && isLoopback(entryHost));                                                                                             

The WHATWG URL parser canonicalises http://[::ffff:127.0.0.1]/ to hostname [::ffff:7f00:1]. After bracket-stripping: ::ffff:7f00:1. This string does not match 127.0.0.1 in NO_PROXY and is not in LOOPBACK_ADDRESSES, so shouldBypassProxy returns false and the proxy is used. proxy-from-env (called before shouldBypassProxy) has the same gap - it does not equate ::ffff:7f00:1 with 127.0.0.1 - so neither layer catches the bypass.

PoC

// NO_PROXY=127.0.0.1,localhost,::1  HTTP_PROXY=http://attacker:8080
import shouldBypassProxy from 'axios/lib/helpers/shouldBypassProxy.js';                                                                                                       
                                                                                                                                                                              
// All three should return true (bypass proxy). Only the first two do.                                                                                                        
console.log(shouldBypassProxy('http://127.0.0.1/'));          // true  [OK]                                                                                                     
console.log(shouldBypassProxy('http://[::1]/'));               // true  [OK]                                                                                                     
console.log(shouldBypassProxy('http://[::ffff:127.0.0.1]/')); // false <- bypass                                                                                             
console.log(shouldBypassProxy('http://[::ffff:7f00:1]/'));     // false <- bypass

Node.js routes ::ffff:7f00:1 to 127.0.0.1:

// net.connect({ host: '::ffff:7f00:1', port: 80 }) reaches a service                                                                                                       
// bound to 127.0.0.1:80 — confirmed on Node.js v24, Linux and macOS.                                                                                                         
```                                                                                                                                                                             ...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

- Resolves techmatters/flex-plugins alert #957