Frontend: Upgrade axios from 1.16.1 to 1.17.0

Security-hardening and bug-fix minor release; no breaking changes for
our usage. Keeps the exact pin (no caret) per the high-risk-package
policy. Verified with make audit, OSV-Scanner, build-js, and test-js.
This commit is contained in:
Michael Mayer 2026-06-10 16:55:39 +00:00
parent 4b7565b3ac
commit 8c5e29771b
4 changed files with 12 additions and 12 deletions

View file

@ -1,11 +1,11 @@
# Frontend Guidelines
**Last Updated:** May 5, 2026
**Last Updated:** June 10, 2026
## Dependencies & Pins
- [`frontend/README.md`](README.md) is the canonical doc for dependency pin rationale, the `overrides` layer, ESM-only upgrade blockers, and the orphan-audit pattern.
- **Pins are intentional.** When a version has no caret (e.g., `"axios": "1.16.1"`, `"vuetify": "3.12.2"`), check `frontend/README.md` and `git log -p -S "<pkg>" -- frontend/package.json` for the reason before changing it.
- **Pins are intentional.** When a version has no caret (e.g., `"axios": "1.17.0"`, `"vuetify": "3.12.2"`), check `frontend/README.md` and `git log -p -S "<pkg>" -- frontend/package.json` for the reason before changing it.
- npm is a workspace; run `npm install --ignore-scripts --no-audit --no-fund --no-update-notifier` from the **repo root** (not `frontend/`) so the root `package-lock.json` updates.
- After dep changes run `make audit`, `make build-js`, `make test-js`, and `make notice`.
- Before adding a new dep — and especially before declaring an existing one "unused" — verify with `rg -nF "<pkg>" frontend …` plus `npm ls <pkg> --all` that no consumer or peer-dep needs it.

View file

@ -27,14 +27,14 @@ Other frontend documentation lives next to this file:
## Dependency Pinning Policy
**Pins are intentional.** When a version is locked without a caret (e.g., `"axios": "1.16.1"`), it is intentional. Before adjusting any pin, check the table below, the inline `//` comments at the top of `package.json`, and the git log (`git log -p -- frontend/package.json | grep -B2 -A4 "<pkg>"`).
**Pins are intentional.** When a version is locked without a caret (e.g., `"axios": "1.17.0"`), it is intentional. Before adjusting any pin, check the table below, the inline `//` comments at the top of `package.json`, and the git log (`git log -p -- frontend/package.json | grep -B2 -A4 "<pkg>"`).
### Currently Pinned Packages
| Package | Pin | Reason |
|-----------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `vuetify` | `3.12.2` | 3.12.3+ added an `onFocusout` handler to `VAutocomplete`/`VSelect`/`VCombobox` that closes long autocomplete/select dropdowns on open (#5538). Still unfixed in 3.12.5; upstream development moved to v4. See the long `//vuetify` comment in `package.json` and `frontend/CODEMAP.md` for retest steps. |
| `axios` | `1.16.1` | High-risk package. Originally pinned to `1.14.0` after the March 2026 supply-chain compromise (malicious `1.14.1`/`0.30.4` from a hijacked maintainer account). Quarantine was unwound on 2026-04-27 once OSV-Scanner came back clean. Keep an exact pin (no caret) per industry guidance for high-risk packages. |
| Package | Pin | Reason |
|-----------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `vuetify` | `3.12.2` | 3.12.3+ added an `onFocusout` handler to `VAutocomplete`/`VSelect`/`VCombobox` that closes long autocomplete/select dropdowns on open (#5538). Still unfixed in 3.12.5; upstream development moved to v4. See the long `//vuetify` comment in `package.json` and `frontend/CODEMAP.md` for retest steps. |
| `axios` | `1.17.0` | High-risk package. Originally pinned to `1.14.0` after the March 2026 supply-chain compromise (malicious `1.14.1`/`0.30.4` from a hijacked maintainer account). Quarantine was unwound on 2026-04-27 once OSV-Scanner came back clean; bumped to `1.17.0` on 2026-06-10 (security-hardening + bug-fix minor, OSV-Scanner clean). Keep an exact pin (no caret) per industry guidance for high-risk packages. |
### Override Layer (Transitive Pins)

View file

@ -56,7 +56,7 @@
"@vue/language-server": "^3.3.4",
"@vue/test-utils": "^2.4.11",
"@vvo/tzdb": "^6.198.0",
"axios": "1.16.1",
"axios": "1.17.0",
"axios-mock-adapter": "^2.1.0",
"babel-loader": "^10.1.1",
"babel-plugin-istanbul": "^7.0.1",

8
package-lock.json generated
View file

@ -32,7 +32,7 @@
"@vue/language-server": "^3.3.4",
"@vue/test-utils": "^2.4.11",
"@vvo/tzdb": "^6.198.0",
"axios": "1.16.1",
"axios": "1.17.0",
"axios-mock-adapter": "^2.1.0",
"babel-loader": "^10.1.1",
"babel-plugin-istanbul": "^7.0.1",
@ -8233,9 +8233,9 @@
}
},
"node_modules/axios": {
"version": "1.16.1",
"resolved": "https://registry.npmjs.org/axios/-/axios-1.16.1.tgz",
"integrity": "sha512-caYkukvroVPO8KrzuJEb50Hm07KwfBZPEC3VeFHTsqWHvKTsy54hjJz9BS/cdaypROE2rH6xvm9mHX4fgWkr3A==",
"version": "1.17.0",
"resolved": "https://registry.npmjs.org/axios/-/axios-1.17.0.tgz",
"integrity": "sha512-J8SwNxprqqpbfenehxWYXE7CW+wM1BB4w3+N+g+/Wx40xM4rsLrfPmHHxSWIxJLYDgSY/HqlFPIYb2/S3rxafw==",
"license": "MIT",
"dependencies": {
"follow-redirects": "^1.16.0",