Skip to content

Security: Pin axios to mitigate supply chain attack #2379

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
CChanHY wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Security: Pin axios to mitigate supply chain attack #2379

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
fc26ada
Pin axios to 1.14.0 to mitigate supply chain attack (axios@1.14.1, ax…
Mar 31, 2026
1832ee3
Update root package-lock.json with pinned axios version
Mar 31, 2026
543a2f0
Add resolutions field for bun/yarn compatibility
Mar 31, 2026
061a535
Update lock files with pinned axios version
Mar 31, 2026
dac0956
Add trustedDependencies allowlist for lifecycle scripts
Mar 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion cloud/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@
"@types/react": "18.2.79",
"@types/react-dom": "18.2.25",
"assemblyai": "^4.9.0",
"axios": "^1.8.1",
"axios": "1.14.0",
"dotenv": "^16.5.0",
"langchain": "^0.3.18",
"pino": "^9.6.0",
Expand Down
2 changes: 1 addition & 1 deletion cloud/packages/cli/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@
"dependencies": {
"@mentra/types": "1.0.0-beta.2",
"commander": "^11.1.0",
"axios": "^1.6.5",
"axios": "1.14.0",
"jsonwebtoken": "^9.0.2",
"cli-table3": "^0.6.3",
"chalk": "^5.3.0",
Expand Down
2 changes: 1 addition & 1 deletion cloud/packages/cloud/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@
"@supabase/supabase-js": "^2.49.1",
"@types/ali-oss": "^6.16.11",
"ali-oss": "^6.23.0",
"axios": "^1.7.4",
"axios": "1.14.0",
"bun-types": "^1.3.5",
"dotenv": "^10.0.0",
"form-data": "^4.0.1",
Expand Down
2 changes: 1 addition & 1 deletion cloud/packages/sdk/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@
"dependencies": {
"@logtail/pino": "^0.5.4",
"@mentra/types": "^1.0.0-beta.1",
"axios": "^1.8.1",
"axios": "1.14.0",
"chalk": "^5.6.2",
"dotenv": "^16.4.0",
"hono": "^4.11.3",
Expand Down
2 changes: 1 addition & 1 deletion cloud/websites/account/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
"@radix-ui/react-use-previous": "1.1.1",
"@supabase/supabase-js": "^2.49.1",
"@tailwindcss/vite": "^4.0.8",
"axios": "^1.8.1",
"axios": "1.14.0",
"class-variance-authority": "^0.7.1",
"clsx": "^2.1.1",
"dotenv": "^16.4.7",
Expand Down
2 changes: 1 addition & 1 deletion cloud/websites/console/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@
"@supabase/supabase-js": "^2.49.1",
"@tailwindcss/vite": "^4.0.8",
"@types/dotenv": "^8.2.3",
"axios": "^1.8.1",
"axios": "1.14.0",
"class-variance-authority": "^0.7.1",
"clsx": "^2.1.1",
"cmdk": "^1.0.0",
Expand Down
2 changes: 1 addition & 1 deletion cloud/websites/debugger/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
"@tabler/icons-react": "^2.22.0",
"@tailwindcss/forms": "^0.5.3",
"@tailwindcss/typography": "^0.5.15",
"axios": "^1.4.0",
"axios": "1.14.0",
"browser-fs-access": "^0.35.0",
"class-variance-authority": "^0.7.1",
"clsx": "^2.1.1",
Expand Down
2 changes: 1 addition & 1 deletion cloud/websites/shared/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@
"@tailwindcss/vite": "^4.0.8",
"@types/dotenv": "^8.2.3",
"authing-js-sdk": "^4.23.55",
"axios": "^1.8.1",
"axios": "1.14.0",
"class-variance-authority": "^0.7.1",
"clsx": "^2.1.1",
"dotenv": "^16.4.7",
Expand Down
2 changes: 1 addition & 1 deletion cloud/websites/store/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
"@radix-ui/react-tooltip": "^1.1.8",
"@supabase/supabase-js": "^2.49.1",
"@tailwindcss/vite": "^4.0.8",
"axios": "^1.8.1",
"axios": "1.14.0",
"class-variance-authority": "^0.7.1",
"clsx": "^2.1.1",
"dotenv": "^16.4.7",
Expand Down
2 changes: 1 addition & 1 deletion mobile/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@
"@shopify/flash-list": "2.0.2",
"@supabase/supabase-js": "^2.99.0",
"authing-js-sdk": "^4.23.55",
"axios": "^1.13.6",
"axios": "1.14.0",
"babel-plugin-module-resolver": "5.0.0",
"core": "file:./modules/core",
"crust": "file:./modules/crust",
Expand Down
5 changes: 5 additions & 0 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,5 +25,10 @@
"scripts": {
"prepare": "husky",
"generate-licenses": "bun docs/generate-licenses.ts"
},
"overrides": {
"axios@>=1": "1.14.0",
"axios@<1": "0.30.3",
"plain-crypto-js": "0.0.0-blocked"
}
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify which package manager lockfiles exist and check override syntax compatibility

echo "=== Checking for lockfiles ==="
fd -t f -d 2 'package-lock.json|pnpm-lock.yaml|yarn.lock|bun.lockb' .

echo ""
echo "=== pnpm-lock.yaml header (if exists) ==="
head -10 pnpm-lock.yaml 2>/dev/null || echo "pnpm-lock.yaml not found"

echo ""
echo "=== cloud/package.json resolutions field ==="
cat cloud/package.json 2>/dev/null | jq '.resolutions // "No resolutions field"'

echo ""
echo "=== Root package.json pnpm field ==="
cat package.json | jq '.pnpm // "No pnpm field"'

Repository: Mentra-Community/MentraOS

Length of output: 434

🏁 Script executed:

#!/bin/bash

# Check the full package.json structure
echo "=== Root package.json (relevant sections) ==="
cat package.json | jq '{scripts, overrides, pnpm, resolutions}' 2>/dev/null || cat package.json | jq -r '.overrides, .pnpm, .resolutions'

echo ""
echo "=== Cloud package.json structure ==="
cat cloud/package.json 2>/dev/null | jq '{scripts, overrides, pnpm, resolutions, workspaces}' 2>/dev/null

echo ""
echo "=== Check if bun.lockb exists ==="
ls -la bun.lockb 2>/dev/null || echo "No bun.lockb found"

echo ""
echo "=== Check for workspace-related config ==="
cat package.json | jq '.workspaces // "No workspaces field"'

Repository: Mentra-Community/MentraOS

Length of output: 3336

🌐 Web query:

pnpm overrides field top-level vs pnpm.overrides nested syntax

💡 Result:

In pnpm (version 10.x as of 2026), the overrides field is a top-level key used in pnpm-workspace.yaml at the root of the project (or workspace). It cannot be set in sub-packages and must be at the project root. Example in pnpm-workspace.yaml: overrides: foo: ^1.0.0 In package.json, pnpm-specific overrides are nested under the pnpm.overrides field (though official docs emphasize pnpm-workspace.yaml; package.json usage is common in practice, especially for non-workspace projects or root package.json). Example in root package.json: { "pnpm": { "overrides": { "foo": "^1.0.0" } } } pnpm does NOT natively support npm-style top-level overrides in package.json (e.g., "overrides": { "foo": "^1.0.0" }) due to differences in resolution algorithms. Top-level overrides is ignored by pnpm; use pnpm.overrides or pnpm-workspace.yaml instead. This is a long-standing design choice, with open issues requesting compatibility. Key differences: - pnpm-workspace.yaml: Top-level overrides (preferred for workspaces, official docs). - package.json: Nested pnpm.overrides (works in root, common in tutorials). Both achieve the same: overriding dependencies project-wide. Use root location only.

Citations:

🌐 Web query:

bun package manager resolutions vs overrides dependency resolution

💡 Result:

In Bun package manager, "overrides" and "resolutions" are equivalent mechanisms for forcing specific versions of dependencies (including metadependencies/transitive dependencies) anywhere in the dependency tree. There is no difference between them in Bun. Both are supported in package.json at the top level: - "overrides": npm-style syntax - "resolutions": Yarn-style syntax (for easier migration from Yarn) Example: { "overrides": { "bar": "~4.4.0" } } or { "resolutions": { "bar": "~4.4.0" } } Bun forces the specified version of "bar" for all occurrences, direct or nested. Limitations (as of latest docs): - Only top-level (flat) overrides/resolutions supported; nested/scoped not supported (warns and ignores). - Only read from root package.json (not workspace children). They serve the same purpose: override dependency resolution to pin versions (e.g., for security fixes), with identical behavior and syntax.

Citations:

Critical: overrides field will be ignored by pnpm.

The repository has pnpm-lock.yaml at the root (lockfileVersion 9.0), indicating pnpm is the active package manager. However, pnpm does not recognize top-level "overrides" in package.json—it requires the field nested under the "pnpm" key or defined in pnpm-workspace.yaml.

As a result, transitive dependencies pulling in compromised axios versions won't be blocked by pnpm. The field will have no effect on dependency resolution in pnpm workspaces.

Note: bun (used in cloud/**) supports the current "overrides" syntax at the top level, so no changes are needed there. The issue is pnpm-specific.

🔒 Proposed fix for pnpm compatibility 
   "scripts": {
     "prepare": "husky",
     "generate-licenses": "bun docs/generate-licenses.ts"
   },
-  "overrides": {
-    "axios@>=1": "1.14.0",
-    "axios@<1": "0.30.3",
-    "plain-crypto-js": "0.0.0-blocked"
+  "pnpm": {
+    "overrides": {
+      "axios@>=1": "1.14.0",
+      "axios@<1": "0.30.3",
+      "plain-crypto-js": "0.0.0-blocked"
+    }
   }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
"overrides": {
"axios@>=1": "1.14.0",
"axios@<1": "0.30.3",
"plain-crypto-js": "0.0.0-blocked"
}
"pnpm": {
"overrides": {
"axios@>=1": "1.14.0",
"axios@<1": "0.30.3",
"plain-crypto-js": "0.0.0-blocked"
}
}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 29 - 33, The top-level "overrides" block will be
ignored by pnpm; move the overrides into pnpm-specific configuration so pnpm
enforces them. Update package.json to nest the existing overrides object under a
"pnpm" key (e.g., add "pnpm": { "overrides": { "axios@>=1": "1.14.0",
"axios@<1": "0.30.3", "plain-crypto-js": "0.0.0-blocked" } }) or alternatively
place the same overrides in pnpm-workspace.yaml if you prefer workspace-level
config; leave the bun-specific top-level overrides in cloud/** unchanged. Ensure
the symbols "overrides", "pnpm", and the axios override entries ("axios@>=1",
"axios@<1") are present in the pnpm-recognized config.

}