[Snyk] Security upgrade axios from 1.12.0 to 1.13.5

[LCSOGthb]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• aq-dashboard/package.json
• aq-dashboard/package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Prototype Pollution SNYK-JS-AXIOS-15252993	225

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
airmerge	Error		Apr 5, 2026 1:14am

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: aeb89c30-bbb8-4172-91c9-8ae1041bccb5

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch snyk-fix-441cd3874eb41ff30d99ff8d48327ce0

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[deepsource-io]

DeepSource Code Review

We reviewed changes in f7be5f2...b1191ae on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade

Security   Reliability   Complexity   Hygiene

Code Review Summary

Analyzer	Status	Updated (UTC)	Details
Ruby		Apr 5, 2026 1:14a.m.	Review ↗
Rust		Apr 5, 2026 1:14a.m.	Review ↗
JavaScript		Apr 5, 2026 1:14a.m.	Review ↗
Scala		Apr 5, 2026 1:14a.m.	Review ↗
Shell		Apr 5, 2026 1:14a.m.	Review ↗
Secrets		Apr 5, 2026 1:14a.m.	Review ↗
Terraform		Apr 5, 2026 1:14a.m.	Review ↗
Swift		Apr 5, 2026 1:14a.m.	Review ↗
SQL		Apr 5, 2026 1:14a.m.	Review ↗
Test coverage		Apr 5, 2026 1:14a.m.	Review ↗
C & C++		Apr 5, 2026 1:14a.m.	Review ↗
C#		Apr 5, 2026 1:14a.m.	Review ↗
Ansible		Apr 5, 2026 1:14a.m.	Review ↗

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric	Results
Complexity	0
Duplication	0

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes. Give us feedback}

[codacy-production]

Pull Request Overview

While Codacy reports the PR as up to standards, there are critical blocking issues that prevent merging. Most notably, the integrity hash for follow-redirects in the lockfile is duplicated from a previous version, which will cause a SHASUM mismatch and break the build. Additionally, the axios version 1.13.5 appears incorrect as the official registry has not reached this version; this must be verified to ensure this isn't a malicious or non-standard package. There is also a lack of automated verification to ensure the dependency update doesn't break HTTP communication.

About this PR

• The version '1.13.5' for axios is highly unexpected as the official package on the public npm registry is currently at version 1.7.x. Please verify the target version or the source registry to ensure this is not a typo or an invalid package.

Test suggestions

• Verify that application HTTP requests using axios continue to function correctly with version 1.13.5.
• Perform a fresh install and verify that the package-lock.json remains stable across different development environments.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify that application HTTP requests using axios continue to function correctly with version 1.13.5.
2. Perform a fresh install and verify that the package-lock.json remains stable across different development environments.

Low confidence findings

• The package-lock.json update includes macOS-specific dependencies (fsevents). This introduces platform-specific noise that can affect developers on other operating systems. It is recommended to regenerate the lockfile in a standardized environment (e.g., Linux-based CI or Docker).

---

🗒️ Improve review quality by adding custom instructions

[codacy-production]

_{🔴 HIGH RISK}

The integrity hash for follow-redirects@1.15.11 is identical to the hash for version 1.15.9. This will cause a SHASUM256 mismatch error during installation.

Try running the following command to properly regenerate the lockfile:
npm install.

[codacy-production]

_{🔴 HIGH RISK}

Suggestion: Pin the version of 'axios' to '1.13.5' by removing the caret (^) prefix. This ensures that only the specifically audited version is installed, mitigating risks associated with dependency hijacking and ensuring consistent behavior across all environments.

Suggested change

	"axios": "^1.13.5",
	"axios": "1.13.5",

See Issue in Codacy