Describe the Question

Hello,

I would like to check whether you are already aware of the recent Axios supply chain incident involving the compromised versions 1.14.1 and 0.30.4. According to the public reports, these releases were maliciously published and should not be used.

From our side, we noticed that the latest @sap/cds version is currently using axios 1.14.0, which appears to be just before the compromised 1.14.1 release. Based on that, I wanted to understand whether you plan to wait until the Axios situation is fully stabilized before updating Axios again in future versions of this library.

Could you please clarify:

1. Are you already aware of this Axios incident and its impact on downstream consumers?
2. Do you plan to keep the current Axios version pinned for now?
3. Will you wait for Axios to stabilize further before resuming updates in future releases of this library?

I am asking mainly to understand the dependency strategy and the expected direction for consumers who rely on this package in enterprise environments.

fonts:

axios/axios#10604
https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan

Thank you.