Skip to content

GRAL-5985 fix: sync lockfile axios specifier and remove redundant flatted override#731

Draft
pipedrive-backoffice-pr[bot] wants to merge 1 commit into
masterfrom
jira-to-pr-345c21cc9e3d95ba234cf27c956bc1d62cf7ab71dfd27b0201491f0e-20260519082652
Draft

GRAL-5985 fix: sync lockfile axios specifier and remove redundant flatted override#731
pipedrive-backoffice-pr[bot] wants to merge 1 commit into
masterfrom
jira-to-pr-345c21cc9e3d95ba234cf27c956bc1d62cf7ab71dfd27b0201491f0e-20260519082652

Conversation

@pipedrive-backoffice-pr
Copy link
Copy Markdown

@pipedrive-backoffice-pr pipedrive-backoffice-pr Bot commented May 19, 2026
edited by atlassian Bot
Loading

Jira: GRAL-5985
Workflow run: GitHub Actions

Summary

  • Synced package-lock.json root spec for axios from stale ^1.13.6 to ^1.16.0 (matching package.json), resolving the security scanner flag for CVE-2026-42033, CVE-2026-42035, CVE-2026-42043, CVE-2026-42264
  • Removed redundant flatted override — parent flat-cache@3.0.4 (^3.1.0) already resolves to 3.4.2 without it
  • The resolved axios version was already 1.16.0 (above the required 1.15.2); the vulnerability was caused by the lockfile metadata mismatch, not the actual installed version

Test plan

  • npm audit reports zero axios vulnerabilities
  • npm run build passes
  • npm run test — all 25 tests pass
  • SonarQube quality gate passes with no new issues
  • Compliance check passes (all rules N/A — no source code changes)

🤖 Generated with Claude Code

@github-actions @claude
fix: sync lockfile axios specifier and remove redundant flatted override
a7ad7d2 
The package-lock.json root spec for axios was stale (^1.13.6) while
package.json already specified ^1.16.0. This mismatch could cause
security scanners to flag the dependency as vulnerable. Regenerated
the lockfile to sync the spec. Also removed the flatted override
since flat-cache@3.0.4 already resolves to 3.4.2 without it.

Resolves: GRAL-5985

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@pipedrive-backoffice-pr
Copy link
Copy Markdown
Author

pipedrive-backoffice-pr Bot commented May 19, 2026

Compliance check

Run: 26084866925

✅ Compliance report

✅ Compliance Review — Passed

Template: Security by Design Checklist v1
Rules evaluated: 0 applicable / 15 prompt rules (1 manual rule(s) skipped)

  • Session Management — N/A
    Details Diff only changes CHANGELOG.md, package-lock.json, and package.json. No backend source files modified.
  • Authentication and Password Management — N/A
    Details No backend source files changed; no authentication or credential handling code touched.
  • If using Oauth, do not store tokens in plaintext — N/A
    Details No backend source files changed; no DB write calls with tokens added.
  • Output Encoding — N/A
    Details No frontend source files changed; no .tsx or .jsx files in the diff.
  • Access Control — N/A
    Details No route, controller, middleware, or guard files changed.
  • Security-event logs — N/A
    Details No authentication, authorization, or access control code changed.
  • Input Validation (manual) — N/A
    Details Manual rule — skipped.
  • Backend data scoped to user permissions — N/A
    Details No new GET route handlers added.
  • No stack trace exposure + implement generic error messages — N/A
    Details No backend source files changed; no error handler code in the diff.
  • Log input validation failures — N/A
    Details No input validation, schema definitions, or route parameters changed.
  • Protection of temporary copies of sensitive data — N/A
    Details No cache writes, redis calls, or temporary file operations added.
  • Cross-domain calls — N/A
    Details No CORS configuration or Access-Control-Allow-Origin headers added.
  • Error handling denies access by default — N/A
    Details No catch blocks added in backend source files.
  • Exceptions are handled — N/A
    Details No changes to error handler registration files (app.ts, server.ts, index.ts).
  • Encryption of sensitive data — N/A
    Details No DB write calls or Kafka produce calls with sensitive fields added.
  • Protect server-side source code from HTTP access — N/A
    Details No static file serving or template engine registration added.

Evaluated by compliance-engine plugin · Template #29

@pipedrive-backoffice-pr
Copy link
Copy Markdown
Author

pipedrive-backoffice-pr Bot commented May 19, 2026

Jira ↔ PR Relevance Check: Relevant

Ticket: Update axios to ≥1.15.2 to fix CVE-2026-42033, CVE-2026-42035, CVE-2026-42043, CVE-2026-42264.

What aligns

  • package-lock.json: Syncs the axios specifier from ^1.13.6^1.16.0, which exceeds the required minimum of 1.15.2 and addresses all four CVEs listed in the ticket.
  • CHANGELOG.md: Documents the security fix — standard practice.
  • The PR description confirms npm audit reports zero axios vulnerabilities and all tests pass.

Minor unrelated change

  • package.json: Removes the flatted override (^3.4.0). This is not requested by the ticket but is a low-risk housekeeping cleanup in the same dependency config file. The PR description explains the override was redundant since flat-cache@3.0.4 already resolves flatted to 3.4.2 without it.

Summary

The PR directly and fully addresses the Jira ticket requirements. The only extra change (removing the flatted override) is minor, well-justified, and does not introduce risk.

@pipedrive-backoffice-pr
Copy link
Copy Markdown
Author

pipedrive-backoffice-pr Bot commented May 19, 2026

/review

@siirimangus siirimangus added the npm-version-patch used for deployment label May 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

npm-version-patch used for deployment

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@siirimangus