From 8c5e29771b62ce07bcdb0aaae8cec9b40f5497fe Mon Sep 17 00:00:00 2001 From: Michael Mayer Date: Wed, 10 Jun 2026 16:55:39 +0000 Subject: [PATCH] Frontend: Upgrade axios from 1.16.1 to 1.17.0 Security-hardening and bug-fix minor release; no breaking changes for our usage. Keeps the exact pin (no caret) per the high-risk-package policy. Verified with make audit, OSV-Scanner, build-js, and test-js. --- frontend/AGENTS.md | 4 ++-- frontend/README.md | 10 +++++----- frontend/package.json | 2 +- package-lock.json | 8 ++++---- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/frontend/AGENTS.md b/frontend/AGENTS.md index 3149cd8e2..3f88343a3 100644 --- a/frontend/AGENTS.md +++ b/frontend/AGENTS.md @@ -1,11 +1,11 @@ # Frontend Guidelines -**Last Updated:** May 5, 2026 +**Last Updated:** June 10, 2026 ## Dependencies & Pins - [`frontend/README.md`](README.md) is the canonical doc for dependency pin rationale, the `overrides` layer, ESM-only upgrade blockers, and the orphan-audit pattern. -- **Pins are intentional.** When a version has no caret (e.g., `"axios": "1.16.1"`, `"vuetify": "3.12.2"`), check `frontend/README.md` and `git log -p -S "" -- frontend/package.json` for the reason before changing it. +- **Pins are intentional.** When a version has no caret (e.g., `"axios": "1.17.0"`, `"vuetify": "3.12.2"`), check `frontend/README.md` and `git log -p -S "" -- frontend/package.json` for the reason before changing it. - npm is a workspace; run `npm install --ignore-scripts --no-audit --no-fund --no-update-notifier` from the **repo root** (not `frontend/`) so the root `package-lock.json` updates. - After dep changes run `make audit`, `make build-js`, `make test-js`, and `make notice`. - Before adding a new dep — and especially before declaring an existing one "unused" — verify with `rg -nF "" frontend …` plus `npm ls --all` that no consumer or peer-dep needs it. diff --git a/frontend/README.md b/frontend/README.md index 3ce91fbde..2ca58f6fe 100644 --- a/frontend/README.md +++ b/frontend/README.md @@ -27,14 +27,14 @@ Other frontend documentation lives next to this file: ## Dependency Pinning Policy -**Pins are intentional.** When a version is locked without a caret (e.g., `"axios": "1.16.1"`), it is intentional. Before adjusting any pin, check the table below, the inline `//` comments at the top of `package.json`, and the git log (`git log -p -- frontend/package.json | grep -B2 -A4 ""`). +**Pins are intentional.** When a version is locked without a caret (e.g., `"axios": "1.17.0"`), it is intentional. Before adjusting any pin, check the table below, the inline `//` comments at the top of `package.json`, and the git log (`git log -p -- frontend/package.json | grep -B2 -A4 ""`). ### Currently Pinned Packages -| Package | Pin | Reason | -|-----------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `vuetify` | `3.12.2` | 3.12.3+ added an `onFocusout` handler to `VAutocomplete`/`VSelect`/`VCombobox` that closes long autocomplete/select dropdowns on open (#5538). Still unfixed in 3.12.5; upstream development moved to v4. See the long `//vuetify` comment in `package.json` and `frontend/CODEMAP.md` for retest steps. | -| `axios` | `1.16.1` | High-risk package. Originally pinned to `1.14.0` after the March 2026 supply-chain compromise (malicious `1.14.1`/`0.30.4` from a hijacked maintainer account). Quarantine was unwound on 2026-04-27 once OSV-Scanner came back clean. Keep an exact pin (no caret) per industry guidance for high-risk packages. | +| Package | Pin | Reason | +|-----------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `vuetify` | `3.12.2` | 3.12.3+ added an `onFocusout` handler to `VAutocomplete`/`VSelect`/`VCombobox` that closes long autocomplete/select dropdowns on open (#5538). Still unfixed in 3.12.5; upstream development moved to v4. See the long `//vuetify` comment in `package.json` and `frontend/CODEMAP.md` for retest steps. | +| `axios` | `1.17.0` | High-risk package. Originally pinned to `1.14.0` after the March 2026 supply-chain compromise (malicious `1.14.1`/`0.30.4` from a hijacked maintainer account). Quarantine was unwound on 2026-04-27 once OSV-Scanner came back clean; bumped to `1.17.0` on 2026-06-10 (security-hardening + bug-fix minor, OSV-Scanner clean). Keep an exact pin (no caret) per industry guidance for high-risk packages. | ### Override Layer (Transitive Pins) diff --git a/frontend/package.json b/frontend/package.json index e3de496da..e2a92b8b4 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -56,7 +56,7 @@ "@vue/language-server": "^3.3.4", "@vue/test-utils": "^2.4.11", "@vvo/tzdb": "^6.198.0", - "axios": "1.16.1", + "axios": "1.17.0", "axios-mock-adapter": "^2.1.0", "babel-loader": "^10.1.1", "babel-plugin-istanbul": "^7.0.1", diff --git a/package-lock.json b/package-lock.json index 6b119d998..368d1607e 100644 --- a/package-lock.json +++ b/package-lock.json @@ -32,7 +32,7 @@ "@vue/language-server": "^3.3.4", "@vue/test-utils": "^2.4.11", "@vvo/tzdb": "^6.198.0", - "axios": "1.16.1", + "axios": "1.17.0", "axios-mock-adapter": "^2.1.0", "babel-loader": "^10.1.1", "babel-plugin-istanbul": "^7.0.1", @@ -8233,9 +8233,9 @@ } }, "node_modules/axios": { - "version": "1.16.1", - "resolved": "https://registry.npmjs.org/axios/-/axios-1.16.1.tgz", - "integrity": "sha512-caYkukvroVPO8KrzuJEb50Hm07KwfBZPEC3VeFHTsqWHvKTsy54hjJz9BS/cdaypROE2rH6xvm9mHX4fgWkr3A==", + "version": "1.17.0", + "resolved": "https://registry.npmjs.org/axios/-/axios-1.17.0.tgz", + "integrity": "sha512-J8SwNxprqqpbfenehxWYXE7CW+wM1BB4w3+N+g+/Wx40xM4rsLrfPmHHxSWIxJLYDgSY/HqlFPIYb2/S3rxafw==", "license": "MIT", "dependencies": { "follow-redirects": "^1.16.0",