fix: update axios to 1.13.6 (CVE-2026-25639, MAL-2026-2306)#3286
Merged
jeanfbrito merged 1 commit intodevfrom Apr 1, 2026
Merged
fix: update axios to 1.13.6 (CVE-2026-25639, MAL-2026-2306)#3286jeanfbrito merged 1 commit intodevfrom
jeanfbrito merged 1 commit intodevfrom
Conversation
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📜 Recent review details⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
WalkthroughUpdated Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Suggested labels
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@package.json`:
- Line 67: The package.json change bumped axios to ~1.13.6 but a transitive
dependency `@ewsjs/xhr` (package name) still allows an older axios (1.13.4) so
both versions remain; fix by either updating the `@ewsjs/xhr` dependency to a
version that requires axios >=1.13.6 or add a top-level package manager
resolution (e.g., a "resolutions" entry) forcing [email protected], then reinstall
and regenerate the lockfile so only axios 1.13.6 is present in node_modules;
target the package.json entry for axios and the dependency entry for `@ewsjs/xhr`
when making the change and ensure the lockfile is committed.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: fbe64e3a-74b7-4d3e-a9d6-0817501cbe9a
⛔ Files ignored due to path filters (1)
yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (1)
package.json
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: check (ubuntu-latest)
- GitHub Check: check (windows-latest)
🧰 Additional context used
🧠 Learnings (3)
📓 Common learnings
Learnt from: Ram-sah19
Repo: RocketChat/Rocket.Chat.Electron PR: 3254
File: .github/workflows/build-release.yml:80-94
Timestamp: 2026-03-11T06:38:40.426Z
Learning: In the RocketChat/Rocket.Chat.Electron repository, the issues flagged in `.github/workflows/build-release.yml` (e.g., `node12` runtime in the release action and missing `snapcraft_token` input), i18n files, and `electron-builder.json` are pre-existing in the `develop` branch and are pulled in during merge conflict resolution. Do not flag these as new issues introduced by PRs that only modify `src/injected.ts` and `src/ui/main/rootWindow.ts`.
📚 Learning: 2026-02-04T19:29:54.650Z
Learnt from: CR
Repo: RocketChat/Rocket.Chat.Electron PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-04T19:29:54.650Z
Learning: Applies to **/*.{ts,tsx} : Use Fuselage components from `rocket.chat/fuselage` for all UI work and only create custom components when Fuselage doesn't provide what's needed
Applied to files:
package.json
📚 Learning: 2026-03-11T06:38:40.426Z
Learnt from: Ram-sah19
Repo: RocketChat/Rocket.Chat.Electron PR: 3254
File: .github/workflows/build-release.yml:80-94
Timestamp: 2026-03-11T06:38:40.426Z
Learning: In the RocketChat/Rocket.Chat.Electron repository, the issues flagged in `.github/workflows/build-release.yml` (e.g., `node12` runtime in the release action and missing `snapcraft_token` input), i18n files, and `electron-builder.json` are pre-existing in the `develop` branch and are pulled in during merge conflict resolution. Do not flag these as new issues introduced by PRs that only modify `src/injected.ts` and `src/ui/main/rootWindow.ts`.
Applied to files:
package.json
Addresses CVE-2026-25639 (prototype pollution DoS in mergeConfig) and MAL-2026-2306. Adds a resolutions entry to force axios 1.13.6 across all transitive consumers (e.g. @ewsjs/xhr), eliminating the duplicate 1.13.4 copy from the lockfile.
jeanfbrito
force-pushed
the
fix/axios-cve-2026-25639
branch
from
86091ac to
0eb38cd
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Updates
axiosfrom~1.13.2(resolved 1.13.4) to~1.13.6to address two security vulnerabilities in the dependency chain.Vulnerabilities Addressed
CVE-2026-25639 — Prototype Pollution Denial of Service in axios
The
mergeConfigfunction in axios (prior to 1.13.5) crashes with aTypeErrorwhen processing configuration objects containing__proto__as an own property. An attacker can trigger this by providing a malicious configuration object created viaJSON.parse(), causing complete denial of service. This is a prototype pollution vector that bypasses normal prototype chain protections by using__proto__as a direct property key.MAL-2026-2306 — Malicious package advisory (follow-redirects)
A malicious package advisory affecting the
follow-redirectstransitive dependency (used by axios for HTTP redirect handling). Updating axios to 1.13.6 ensures the resolvedfollow-redirectsversion is patched.Additional bug fixes included (1.13.5 → 1.13.6)
TypeErrorwhenconfig.envis undefinedChanges
package.json:axiosversion spec changed from~1.13.2to~1.13.6yarn.lock: Updated accordinglyTest plan
tsc --noEmit)Summary by CodeRabbit