fix: add npm override for axios to address CVE-2025-58754

jignaciopm · jignaciopm · commit 72114de14987 · 2026-06-16T01:05:31.000-04:00
Axios versions prior to 1.9.1 are vulnerable to Denial of Service via massive data schemas (CVE-2025-58754). The vulnerable version (1.9.0) is pulled as a transitive dependency from @edx/frontend-platform. Adding an npm override forces resolution to a patched version without changing the frontend-platform version, avoiding breaking changes.
diff --git a/package.json b/package.json
@@ -96,5 +96,8 @@
       }
     ],
     "normalizeFilenames": "^.+?(\\..+?)\\.\\w+$"
+  },
+  "overrides": {
+    "axios": "^1.9.1"
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -96,5 +96,8 @@`
`96`	`96`	`}`
`97`	`97`	`],`
`98`	`98`	`"normalizeFilenames": "^.+?(\\..+?)\\.\\w+$"`
	`99`	`+ },`
	`100`	`+ "overrides": {`
	`101`	`+ "axios": "^1.9.1"`
`99`	`102`	`}`
`100`	`103`	`}`