[Snyk] Security upgrade axios from 1.12.0 to 1.13.5

[LCSOGthb]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• aq-dashboard/package.json
• aq-dashboard/package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Prototype Pollution SNYK-JS-AXIOS-15252993	225

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
airmerge	Error		Apr 5, 2026 1:16am

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6a7814e4-8f7f-4034-a79e-fc61c613699b

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch snyk-fix-a93c21e88e5da248443f3b30e86bbe09

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[deepsource-io]

DeepSource Code Review

We reviewed changes in 510166d...fcdce08 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade

Security   Reliability   Complexity   Hygiene

Code Review Summary

Analyzer	Status	Updated (UTC)	Details
Ruby		Apr 5, 2026 1:17a.m.	Review ↗
Rust		Apr 5, 2026 1:17a.m.	Review ↗
JavaScript		Apr 5, 2026 1:17a.m.	Review ↗
Scala		Apr 5, 2026 1:17a.m.	Review ↗
Shell		Apr 5, 2026 1:17a.m.	Review ↗
Secrets		Apr 5, 2026 1:17a.m.	Review ↗
Terraform		Apr 5, 2026 1:17a.m.	Review ↗
Swift		Apr 5, 2026 1:17a.m.	Review ↗
SQL		Apr 5, 2026 1:17a.m.	Review ↗
Test coverage		Apr 5, 2026 1:17a.m.	Review ↗
C & C++		Apr 5, 2026 1:17a.m.	Review ↗
C#		Apr 5, 2026 1:17a.m.	Review ↗
Ansible		Apr 5, 2026 1:17a.m.	Review ↗

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric	Results
Complexity	0
Duplication	0

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes. Give us feedback}

[codacy-production]

Pull Request Overview

This PR must not be merged in its current state. Despite the stated intent of upgrading axios for security, the implementation contains critical anomalies consistent with a supply chain attack. Specifically, the version of axios (1.13.5) and follow-redirects (1.15.11) are not present on the public npm registry, and the integrity hashes in the lockfile are mismatched. Additionally, there is an unrelated and potentially regressive downgrade of the React library. A clean manual upgrade of axios is required.

About this PR

• The lockfile regeneration includes unrelated additions (e.g., 'fsevents') and sub-dependency updates. While sub-dependency updates can be normal for Snyk PRs, in the context of the invalid primary versions identified, the entire lockfile should be treated as untrusted and regenerated from scratch.

Test suggestions

• Verify axios version is 1.13.5 in package.json
• Ensure 'react' version remains at ^19.2.3 or higher

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Ensure 'react' version remains at ^19.2.3 or higher

---

🗒️ Improve review quality by adding custom instructions

[codacy-production]

_{🔴 HIGH RISK}

The 'react' dependency was downgraded from ^19.2.3 to ^19.1.0. This is out of scope for an axios security fix and may introduce regressions. This change should be reverted. Furthermore, pinning the version to an exact version would resolve the security warning regarding variant versions identified in quality scans.

See Issue in Codacy

[codacy-production]

_{🔴 HIGH RISK}

CRITICAL SECURITY RISK: The versions for axios (1.13.5) and follow-redirects (1.15.11) do not exist on the public npm registry. The lockfile provides the integrity hash for version 1.15.9 while labeling it as 1.15.11. These anomalies strongly suggest a supply chain attack or major metadata corruption. Additionally, to resolve security warnings regarding variant versions, the dependency should be pinned to an exact, legitimate version (e.g., 1.7.8 or current stable).

Action: Revert these changes and run npm install axios@latest to upgrade to a legitimate version.

See Issue in Codacy