Skip to content

Migrate to pnpm + pin axios 1.17.0 (CVE-2026-42033) [IST-954]#71

Closed
mabl-ad-joe wants to merge 2 commits into
mainfrom
ist-954-axios-cve-2026-42033
Closed

Migrate to pnpm + pin axios 1.17.0 (CVE-2026-42033) [IST-954]#71
mabl-ad-joe wants to merge 2 commits into
mainfrom
ist-954-axios-cve-2026-42033

Conversation

@mabl-ad-joe

Copy link
Copy Markdown

What

  • Migrates this action from npm → pnpm (pnpm@10.34.1 via packageManager), with nodeLinker: hoisted in pnpm-workspace.yaml so the vendor-at-release model keeps producing a flat node_modules the node20 action can load.
  • Pins axios 1.7.91.17.0 (latest), remediating CVE-2026-42033 (prototype pollution, HIGH/7.4) and CVE-2026-40175 (cloud-metadata exfiltration).
  • Converts both workflows, the release/fix/check scripts, and CONTRIBUTING.md to pnpm; removes package-lock.json; adds a public-only pnpm-lock.yaml (no GAR/JFrog/longreen refs — this repo is public).

Why

One of a suite of axios-pin PRs from an org-wide CVE exposure sweep, tracked under IST-954. pnpm migration per team direction to standardize off npm.

🤖 Generated with Claude Code

@twistedpair twistedpair deleted the ist-954-axios-cve-2026-42033 branch June 12, 2026 20:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants