Skip to content

chore: lock axios dependency to avoid plain-crypto-js#339

Merged
tharropoulos merged 1 commit intotypesense:masterfrom
tharropoulos:lock-axios
Mar 31, 2026
Merged

chore: lock axios dependency to avoid plain-crypto-js#339
tharropoulos merged 1 commit intotypesense:masterfrom
tharropoulos:lock-axios

Conversation

@tharropoulos
Copy link
Copy Markdown
Collaborator

@tharropoulos tharropoulos commented Mar 31, 2026

Change Summary

axios has been compromised on 1.14.1 with a dependency called plain-crypto-js, that is confirmed to be a supply chain attack. Lock the version to 1.13.5, to avoid incremental updates before this is resolved.

PR Checklist

@tharropoulos tharropoulos merged commit b334b3a into typesense:master Mar 31, 2026
1 check passed
lazka added a commit to lazka/typesense-js that referenced this pull request Apr 16, 2026
@lazka
chore: unlock axios again
753014b 
The version was pinned in typesense#339 due to the supply chain attack on axios.
See axios/axios#10636 for their post mortem.

There have been new security relevant releases, see
https://github.com/axios/axios/releases/tag/v1.15.0
so I think we should allow new releases (>1.15.0) again.
@lazka lazka mentioned this pull request Apr 16, 2026
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tharropoulos