mirror of
https://github.com/photoprism/photoprism.git
synced 2026-07-17 16:49:04 +00:00
Frontend: Upgrade axios from 1.16.1 to 1.17.0
Security-hardening and bug-fix minor release; no breaking changes for our usage. Keeps the exact pin (no caret) per the high-risk-package policy. Verified with make audit, OSV-Scanner, build-js, and test-js.
This commit is contained in:
parent
4b7565b3ac
commit
8c5e29771b
4 changed files with 12 additions and 12 deletions
|
|
@ -1,11 +1,11 @@
|
||||||
# Frontend Guidelines
|
# Frontend Guidelines
|
||||||
|
|
||||||
**Last Updated:** May 5, 2026
|
**Last Updated:** June 10, 2026
|
||||||
|
|
||||||
## Dependencies & Pins
|
## Dependencies & Pins
|
||||||
|
|
||||||
- [`frontend/README.md`](README.md) is the canonical doc for dependency pin rationale, the `overrides` layer, ESM-only upgrade blockers, and the orphan-audit pattern.
|
- [`frontend/README.md`](README.md) is the canonical doc for dependency pin rationale, the `overrides` layer, ESM-only upgrade blockers, and the orphan-audit pattern.
|
||||||
- **Pins are intentional.** When a version has no caret (e.g., `"axios": "1.16.1"`, `"vuetify": "3.12.2"`), check `frontend/README.md` and `git log -p -S "<pkg>" -- frontend/package.json` for the reason before changing it.
|
- **Pins are intentional.** When a version has no caret (e.g., `"axios": "1.17.0"`, `"vuetify": "3.12.2"`), check `frontend/README.md` and `git log -p -S "<pkg>" -- frontend/package.json` for the reason before changing it.
|
||||||
- npm is a workspace; run `npm install --ignore-scripts --no-audit --no-fund --no-update-notifier` from the **repo root** (not `frontend/`) so the root `package-lock.json` updates.
|
- npm is a workspace; run `npm install --ignore-scripts --no-audit --no-fund --no-update-notifier` from the **repo root** (not `frontend/`) so the root `package-lock.json` updates.
|
||||||
- After dep changes run `make audit`, `make build-js`, `make test-js`, and `make notice`.
|
- After dep changes run `make audit`, `make build-js`, `make test-js`, and `make notice`.
|
||||||
- Before adding a new dep — and especially before declaring an existing one "unused" — verify with `rg -nF "<pkg>" frontend …` plus `npm ls <pkg> --all` that no consumer or peer-dep needs it.
|
- Before adding a new dep — and especially before declaring an existing one "unused" — verify with `rg -nF "<pkg>" frontend …` plus `npm ls <pkg> --all` that no consumer or peer-dep needs it.
|
||||||
|
|
|
||||||
|
|
@ -27,14 +27,14 @@ Other frontend documentation lives next to this file:
|
||||||
|
|
||||||
## Dependency Pinning Policy
|
## Dependency Pinning Policy
|
||||||
|
|
||||||
**Pins are intentional.** When a version is locked without a caret (e.g., `"axios": "1.16.1"`), it is intentional. Before adjusting any pin, check the table below, the inline `//` comments at the top of `package.json`, and the git log (`git log -p -- frontend/package.json | grep -B2 -A4 "<pkg>"`).
|
**Pins are intentional.** When a version is locked without a caret (e.g., `"axios": "1.17.0"`), it is intentional. Before adjusting any pin, check the table below, the inline `//` comments at the top of `package.json`, and the git log (`git log -p -- frontend/package.json | grep -B2 -A4 "<pkg>"`).
|
||||||
|
|
||||||
### Currently Pinned Packages
|
### Currently Pinned Packages
|
||||||
|
|
||||||
| Package | Pin | Reason |
|
| Package | Pin | Reason |
|
||||||
|-----------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|-----------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||||
| `vuetify` | `3.12.2` | 3.12.3+ added an `onFocusout` handler to `VAutocomplete`/`VSelect`/`VCombobox` that closes long autocomplete/select dropdowns on open (#5538). Still unfixed in 3.12.5; upstream development moved to v4. See the long `//vuetify` comment in `package.json` and `frontend/CODEMAP.md` for retest steps. |
|
| `vuetify` | `3.12.2` | 3.12.3+ added an `onFocusout` handler to `VAutocomplete`/`VSelect`/`VCombobox` that closes long autocomplete/select dropdowns on open (#5538). Still unfixed in 3.12.5; upstream development moved to v4. See the long `//vuetify` comment in `package.json` and `frontend/CODEMAP.md` for retest steps. |
|
||||||
| `axios` | `1.16.1` | High-risk package. Originally pinned to `1.14.0` after the March 2026 supply-chain compromise (malicious `1.14.1`/`0.30.4` from a hijacked maintainer account). Quarantine was unwound on 2026-04-27 once OSV-Scanner came back clean. Keep an exact pin (no caret) per industry guidance for high-risk packages. |
|
| `axios` | `1.17.0` | High-risk package. Originally pinned to `1.14.0` after the March 2026 supply-chain compromise (malicious `1.14.1`/`0.30.4` from a hijacked maintainer account). Quarantine was unwound on 2026-04-27 once OSV-Scanner came back clean; bumped to `1.17.0` on 2026-06-10 (security-hardening + bug-fix minor, OSV-Scanner clean). Keep an exact pin (no caret) per industry guidance for high-risk packages. |
|
||||||
|
|
||||||
### Override Layer (Transitive Pins)
|
### Override Layer (Transitive Pins)
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -56,7 +56,7 @@
|
||||||
"@vue/language-server": "^3.3.4",
|
"@vue/language-server": "^3.3.4",
|
||||||
"@vue/test-utils": "^2.4.11",
|
"@vue/test-utils": "^2.4.11",
|
||||||
"@vvo/tzdb": "^6.198.0",
|
"@vvo/tzdb": "^6.198.0",
|
||||||
"axios": "1.16.1",
|
"axios": "1.17.0",
|
||||||
"axios-mock-adapter": "^2.1.0",
|
"axios-mock-adapter": "^2.1.0",
|
||||||
"babel-loader": "^10.1.1",
|
"babel-loader": "^10.1.1",
|
||||||
"babel-plugin-istanbul": "^7.0.1",
|
"babel-plugin-istanbul": "^7.0.1",
|
||||||
|
|
|
||||||
8
package-lock.json
generated
8
package-lock.json
generated
|
|
@ -32,7 +32,7 @@
|
||||||
"@vue/language-server": "^3.3.4",
|
"@vue/language-server": "^3.3.4",
|
||||||
"@vue/test-utils": "^2.4.11",
|
"@vue/test-utils": "^2.4.11",
|
||||||
"@vvo/tzdb": "^6.198.0",
|
"@vvo/tzdb": "^6.198.0",
|
||||||
"axios": "1.16.1",
|
"axios": "1.17.0",
|
||||||
"axios-mock-adapter": "^2.1.0",
|
"axios-mock-adapter": "^2.1.0",
|
||||||
"babel-loader": "^10.1.1",
|
"babel-loader": "^10.1.1",
|
||||||
"babel-plugin-istanbul": "^7.0.1",
|
"babel-plugin-istanbul": "^7.0.1",
|
||||||
|
|
@ -8233,9 +8233,9 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"node_modules/axios": {
|
"node_modules/axios": {
|
||||||
"version": "1.16.1",
|
"version": "1.17.0",
|
||||||
"resolved": "https://registry.npmjs.org/axios/-/axios-1.16.1.tgz",
|
"resolved": "https://registry.npmjs.org/axios/-/axios-1.17.0.tgz",
|
||||||
"integrity": "sha512-caYkukvroVPO8KrzuJEb50Hm07KwfBZPEC3VeFHTsqWHvKTsy54hjJz9BS/cdaypROE2rH6xvm9mHX4fgWkr3A==",
|
"integrity": "sha512-J8SwNxprqqpbfenehxWYXE7CW+wM1BB4w3+N+g+/Wx40xM4rsLrfPmHHxSWIxJLYDgSY/HqlFPIYb2/S3rxafw==",
|
||||||
"license": "MIT",
|
"license": "MIT",
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"follow-redirects": "^1.16.0",
|
"follow-redirects": "^1.16.0",
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue