[CLNP-8635] SECURE-3288: remove unused axios and perspective-api-client (SCA fix)#1
Open
sf-tyler-jeong wants to merge 1 commit into
Open
[CLNP-8635] SECURE-3288: remove unused axios and perspective-api-client (SCA fix)#1sf-tyler-jeong wants to merge 1 commit into
sf-tyler-jeong wants to merge 1 commit into
Conversation
Resolves the two critical axios advisories tracked in SECURE-3288: - CVE-2025-62718 / GHSA-3p68-rc4w-qgx5 (NO_PROXY hostname bypass -> SSRF) - CVE-2026-40175 / GHSA-fvcv-3m26-pcqx (header injection -> SSRF) Both were unused dependencies, so they are removed rather than bumped: - axios is never imported (index.js; googleapis uses its own gaxios client), so removing it eliminates the vulnerable package entirely instead of re-vendoring a bumped-but-unused copy. - perspective-api-client pinned a vulnerable nested axios 0.18.1 and is unused (index.js calls the Perspective API via googleapis). README install step updated to match. package-lock.json and node_modules updated accordingly; node_modules/.package-lock.json (npm's hidden state file) is no longer tracked. npm audit reports zero axios advisories. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves the two critical axios advisories tracked in SECURE-3288:
Both were unused dependencies, so they are removed rather than bumped:
package-lock.json and node_modules updated accordingly; node_modules/.package-lock.json (npm's hidden state file) is no longer tracked. npm audit reports zero axios advisories.