Fix pipeline #1535
Fix pipeline #1535
Conversation
📝 WalkthroughWalkthroughAxios dependency bumped from 1.8.4 to 1.12.1 across examples and many packages. A changeset update removes five modules from the patch list and adjusts ESM compatibility notes (bitcore-lib-cash marker change; add .js extensions for coinselect/accumulative and cosmjs-types). Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested reviewers
Pre-merge checks and finishing touches❌ Failed checks (1 inconclusive)
✅ Passed checks (2 passed)
✨ Finishing touches🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 5
🧹 Nitpick comments (4)
compromised.js (4)
3-10: Hardcoded, placeholder list risks drift.Externalize the list (JSON in repo or fetched from an advisory source) and/or support semver ranges instead of exact pins to reduce misses.
I can wire this to GitHub Advisory DB or npm audit and translate results to your current output. Want a follow-up patch?
1-1: Optional: add a shebang for direct execution.If invoked as an executable in CI, add a shebang line.
+#!/usr/bin/env node
37-42: Optional: English/bilingual output for CI logs.Repo/logs are mostly English; consider bilingual messages or an ENV flag to switch locale.
Example:
- console.log('⚠️ Se encontraron dependencias comprometidas:') + console.log(process.env.LANG?.startsWith('es') ? '⚠️ Se encontraron dependencias comprometidas:' : '⚠️ Compromised dependencies found:')
29-33: Optional: support workspaces with alternate lockfile paths.If CI runs from a subdir, allow a LOCKFILE env var or detect pnpm/package-lock to fail early with a clear message.
-const file = 'yarn.lock' +const file = process.env.LOCKFILE || 'yarn.lock'
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
.changeset/ripe-heads-stop.md(1 hunks)compromised.js(1 hunks)
🔇 Additional comments (1)
.changeset/ripe-heads-stop.md (1)
1-19: Verify removed packages don't require release bumps.Automated check failed: running
npx changeset status --since=mastererrored ("npm error could not determine executable to run"). Run locally and paste the output of:
git fetch origin master:master
npx changeset status --since=masterConfirm the five packages removed from the patch list in .changeset/ripe-heads-stop.md (lines 1–19) had no user-visible changes and do not require releases.
| - Change bitcore-lib-cash imports from namespace to default imports for ESM compatibility | ||
| - Change @dashevo/dashcore-lib imports from namespace to default imports for ESM compatibility |
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Default import for bitcore-lib-cash may be unsafe.
If bitcore-lib-cash is CommonJS, default imports require TS esModuleInterop/syntheticDefaultImports or an actual ESM default export. Please confirm the library/version and tsconfig flags.
🌐 Web query:
Does "bitcore-lib-cash" provide an ESM build or a default export usable via `import bitcore from 'bitcore-lib-cash'`?
💡 Result:
No. bitcore-lib-cash is published as CommonJS (package.json has "main":"index.js" and no "module"/ESM export) and its type defs use export = (CommonJS style). Import with require() or a named/namespace import (e.g. import * as bitcore from 'bitcore-lib-cash') rather than a native default ESM import. [1][2]
Sources:
[1] package.json from the published package (shows "main": "index.js" and no "module" field). [unpkg]. (app.unpkg.com)
[2] DefinitelyTyped / @types/bitcore-lib-cash indicates CJS-style export (= export =). (npmjs.com)
Citations:
- 1: https://app.unpkg.com/bitcore-lib-cash%408.25.40/files/package.json?utm_source=openai
- 2: https://www.npmjs.com/package/%40types/bitcore-lib-cash?utm_source=openai
Don't switch bitcore-lib-cash to a default ESM import — it's CommonJS
bitcore-lib-cash is published as CommonJS (package.json only has "main" and types use export =), so import bitcore from 'bitcore-lib-cash' is unsafe. Revert/update the changeset entry (.changeset/ripe-heads-stop.md lines 24–25) and either keep the namespace import (import * as bitcore from 'bitcore-lib-cash'), enable esModuleInterop/allowSyntheticDefaultImports in tsconfig, or only switch once the package provides an ESM default export. Confirm which approach you choose.
🤖 Prompt for AI Agents
In .changeset/ripe-heads-stop.md around lines 24–25, revert or update the
changeset entry that switched bitcore-lib-cash to a default ESM import because
bitcore-lib-cash is CommonJS; restore the namespace form (or remove the line) so
the changeset reflects using import * as bitcore from 'bitcore-lib-cash', or
explicitly state that the project will enable
esModuleInterop/allowSyntheticDefaultImports in tsconfig if you want
default-style imports; update the file to reflect which approach you choose and
confirm that the changeset now matches the chosen import strategy.
| - Add .js extensions to coinselect/accumulative imports for ESM | ||
| - Add .js extensions to cosmjs-types imports for ESM |
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Audit repo for missing .js extensions on ESM-only paths.
Ensure all coinselect/accumulative and cosmjs-types imports include .js where required.
Run:
🏁 Script executed:
#!/bin/bash
# Find potential imports missing ".js" for the noted modules
rg -nP --type=ts --type=tsx --type=js --type=mjs $'from\\s+[\'"](coinselect/accumulative|cosmjs-types[^\'"]*)[\'"]' -SLength of output: 27
🏁 Script executed:
#!/bin/bash
set -uo pipefail
echo "Searching repository for imports/requires/dynamic-imports referencing coinselect/accumulative or cosmjs-types (looking for missing .js extensions)..."
# Search common source file extensions (ts, tsx, js, mjs, jsx)
rg -nP -S -g '**/*.{ts,tsx,js,mjs,jsx}' "from\s+['\"][^'\"]*(?:coinselect/accumulative|cosmjs-types[^'\"]*)['\"]" || true
rg -nP -S -g '**/*.{ts,tsx,js,mjs,jsx}' "require\(['\"][^'\"]*(?:coinselect/accumulative|cosmjs-types[^'\"]*)['\"]\)" || true
rg -nP -S -g '**/*.{ts,tsx,js,mjs,jsx}' "import\(['\"][^'\"]*(?:coinselect/accumulative|cosmjs-types[^'\"]*)['\"]\)" || true
echo "Search complete."Length of output: 1037
Add missing .js extension to a cosmjs-types import
- packages/xchain-cosmos/e2e/cosmos-client.e2e.ts:14 — change
import { TxRaw } from 'cosmjs-types/cosmos/tx/v1beta1/tx'
to
import { TxRaw } from 'cosmjs-types/cosmos/tx/v1beta1/tx.js' - No occurrences of coinselect/accumulative found.
🤖 Prompt for AI Agents
In .changeset/ripe-heads-stop.md around lines 26 to 27: update the note to
reflect that the import in packages/xchain-cosmos/__e2e__/cosmos-client.e2e.ts
(line ~14) must use the ESM .js extension by changing the import of TxRaw from
'cosmjs-types/cosmos/tx/v1beta1/tx' to 'cosmjs-types/cosmos/tx/v1beta1/tx.js';
verify the file compiles under ESM and remove any mention of
coinselect/accumulative since there are no occurrences.
compromised.js
Outdated
| @@ -0,0 +1,42 @@ | |||
| const fs = require('fs') | |||
There was a problem hiding this comment.
🛠️ Refactor suggestion
Align module format with repo ESM direction.
This uses CommonJS; in a "type: module" repo it will throw. Either rename to compromised.cjs or convert to ESM imports.
Option: convert to ESM
-const fs = require('fs')
+import { readFileSync, existsSync } from 'node:fs'
@@
- const content = fs.readFileSync(file, 'utf8')
+ const content = readFileSync(file, 'utf8')
@@
-if (!fs.existsSync(file)) {
+if (!existsSync(file)) {Also applies to: 13-13, 31-31
🤖 Prompt for AI Agents
In compromised.js around lines 1, 13 and 31, the file uses CommonJS (require)
which will break in a "type: module" repo; convert to ESM by replacing require
calls with import statements (e.g., import fs from 'fs') and convert any
module.exports assignments to ES exports (export default or named exports), or
alternatively rename the file to compromised.cjs if you must keep CommonJS;
ensure package.json "type" remains consistent and update any top-level require
usage accordingly.
compromised.js
Outdated
| for (const [pkg, versions] of Object.entries(compromised)) { | ||
| versions.forEach((ver) => { | ||
| // Yarn.lock tiene entradas tipo: chalk@^5.0.0: | ||
| const regex = new RegExp(`\\n${pkg}@[^:]+:\\n[\\s\\S]*?version "\\s*${ver}\\s*"`, 'g') | ||
| if (regex.test(content)) { | ||
| results.push({ name: pkg, version: ver }) | ||
| } | ||
| }) | ||
| } |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Regex is brittle; misses Yarn v2/v3 and can mis-anchor.
It only matches Yarn v1’s version "x.y.z" lines and assumes key format without quotes. Match both v1 and v2/v3 (version: … / resolution: …) and escape package names.
Apply:
function checkYarnLock(file) {
const content = fs.readFileSync(file, 'utf8')
const results = []
for (const [pkg, versions] of Object.entries(compromised)) {
versions.forEach((ver) => {
- // Yarn.lock tiene entradas tipo: chalk@^5.0.0:
- const regex = new RegExp(`\\n${pkg}@[^:]+:\\n[\\s\\S]*?version "\\s*${ver}\\s*"`, 'g')
+ // Soporta Yarn v1 (version "x.y.z") y Yarn v2/v3 (version: x.y.z o resolution: "[email protected]")
+ const escapeRegExp = (s) => s.replace(/[-/\\^$*+?.()|[\]{}]/g, '\\$&')
+ const key = String.raw`(?:^|\n)"?${escapeRegExp(pkg)}@[^:\n]+"?:\n`
+ const v1 = String.raw`\s*version\s*["']?${escapeRegExp(ver)}["']?`
+ const v2 = String.raw`\s*resolution\s*["'][^"\n]*@${escapeRegExp(ver)}["']`
+ const regex = new RegExp(`${key}[\\s\\S]*?(?:\\n${v1}|\\n${v2})`, 'm')
if (regex.test(content)) {
results.push({ name: pkg, version: ver })
}
})
}
return results
}(If you switch the file to ESM, adjust the fs imports accordingly.)
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| for (const [pkg, versions] of Object.entries(compromised)) { | |
| versions.forEach((ver) => { | |
| // Yarn.lock tiene entradas tipo: chalk@^5.0.0: | |
| const regex = new RegExp(`\\n${pkg}@[^:]+:\\n[\\s\\S]*?version "\\s*${ver}\\s*"`, 'g') | |
| if (regex.test(content)) { | |
| results.push({ name: pkg, version: ver }) | |
| } | |
| }) | |
| } | |
| for (const [pkg, versions] of Object.entries(compromised)) { | |
| versions.forEach((ver) => { | |
| // Soporta Yarn v1 (version "x.y.z") y Yarn v2/v3 (version: x.y.z o resolution: "[email protected]") | |
| const escapeRegExp = (s) => s.replace(/[-/\\^$*+?.()|[\]{}]/g, '\\$&') | |
| const key = String.raw`(?:^|\n)"?${escapeRegExp(pkg)}@[^:\n]+"?:\n` | |
| const v1 = String.raw`\s*version\s*["']?${escapeRegExp(ver)}["']?` | |
| const v2 = String.raw`\s*resolution\s*["'][^"\n]*@${escapeRegExp(ver)}["']` | |
| const regex = new RegExp(`${key}[\\s\\S]*?(?:\\n${v1}|\\n${v2})`, 'm') | |
| if (regex.test(content)) { | |
| results.push({ name: pkg, version: ver }) | |
| } | |
| }) | |
| } |
🤖 Prompt for AI Agents
In compromised.js around lines 16 to 24, the current regex is brittle: it
assumes Yarn v1 key formatting and only matches lines like version "x.y.z",
which misses Yarn v2/v3 formats and package names that contain regex
metacharacters. Fix by escaping the package name before inserting into the regex
(use an escapeRegExp helper), and replace the current pattern with a more
permissive multiline regex that matches both Yarn v1 and v2/v3 patterns — e.g.
accept quoted or unquoted lockfile keys (pkg@...), optional whitespace, and
either version "x.y.z", version: x.y.z, or resolution entries that contain the
version, allowing optional quotes around the version; use the 'm' and 'g' flags
and test against that pattern. Ensure you still push { name: pkg, version: ver }
when matched.
compromised.js
Outdated
| if (bad.length === 0) { | ||
| console.log('✅ No se encontraron dependencias comprometidas.') | ||
| } else { | ||
| console.log('⚠️ Se encontraron dependencias comprometidas:') | ||
| console.table(bad) | ||
| } |
There was a problem hiding this comment.
CI will not fail on findings (missing non-zero exit).
Script only logs results; it never exits with code 1 when compromised deps are found.
Apply:
-if (bad.length === 0) {
- console.log('✅ No se encontraron dependencias comprometidas.')
-} else {
- console.log('⚠️ Se encontraron dependencias comprometidas:')
- console.table(bad)
-}
+if (bad.length === 0) {
+ console.log('✅ No se encontraron dependencias comprometidas.')
+ process.exit(0)
+} else {
+ console.log('⚠️ Se encontraron dependencias comprometidas:')
+ console.table(bad)
+ process.exit(1)
+}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| if (bad.length === 0) { | |
| console.log('✅ No se encontraron dependencias comprometidas.') | |
| } else { | |
| console.log('⚠️ Se encontraron dependencias comprometidas:') | |
| console.table(bad) | |
| } | |
| if (bad.length === 0) { | |
| console.log('✅ No se encontraron dependencias comprometidas.') | |
| process.exit(0) | |
| } else { | |
| console.log('⚠️ Se encontraron dependencias comprometidas:') | |
| console.table(bad) | |
| process.exit(1) | |
| } |
🤖 Prompt for AI Agents
In compromised.js around lines 37 to 42, the script only logs compromised
dependencies and never fails CI; modify the flow so that when bad.length > 0 you
print the warning/table as now and then terminate the process with a non-zero
exit (e.g., process.exit(1)) to signal failure to CI, keeping the success case
returning zero (or no-op) for bad.length === 0.
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (1)
examples/do-swap/package.json (1)
39-39: LGTM. Consider aligning axios-retry versions across examples.axios bump looks fine. Optional: standardize axios-retry to a single version (e.g., ^3.3.1) across example apps to reduce duplication.
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (10)
examples/check-tx/package.json(1 hunks)examples/do-swap/package.json(1 hunks)examples/estimate-swap/package.json(1 hunks)examples/liquidity/package.json(1 hunks)examples/wallet/package.json(1 hunks)packages/xchain-cosmos/package.json(1 hunks)packages/xchain-mayachain-query/package.json(1 hunks)packages/xchain-mayachain/package.json(1 hunks)packages/xchain-thorchain-query/package.json(1 hunks)packages/xchain-thorchain/package.json(1 hunks)
✅ Files skipped from review due to trivial changes (4)
- packages/xchain-mayachain-query/package.json
- packages/xchain-thorchain-query/package.json
- examples/estimate-swap/package.json
- examples/liquidity/package.json
🔇 Additional comments (5)
examples/check-tx/package.json (1)
21-21: LGTM — axios bumped to 1.12.1; verify dedupe & axios-retry
- Findings: mixed axios versions present — many packages now use 1.12.1 but several still declare ^1.8.4/^1.6.1; transitive deps (e.g. @ledgerhq/* → [email protected], @chainflip/sdk → 1.10.0, @openapitools/openapi-generator-cli → 1.9.0) will pull older axios. yarn dedupe output shows axios can be flattened to 1.12.1 but confirm after a full install.
- axios-retry: multiple versions in the workspace (3.2.5 / 3.3.1 / 3.9.1) — verify they remain compatible with [email protected].
- Deprecated APIs: quick grep found no CancelToken/axios/lib usage, but .mjs files were not scanned — run a full scan including .mjs and run tests.
- Action items: align package.json ranges (or pin) to the target version, upgrade upstream/transitive packages where possible, run yarn install && yarn dedupe (inspect yarn.lock / yarn why axios) and re-run the grep + test suite to confirm a single axios copy and no deprecated API usage.
packages/xchain-cosmos/package.json (1)
49-49: LGTM. Check ESM/CJS interop with rollup output.Given module: "lib/index.esm.js" and CJS main, confirm axios 1.12.x tree-shakes and interops cleanly with your rollup config and Node targets.
packages/xchain-mayachain/package.json (1)
49-49: LGTM. Validate no reliance on CancelToken or adapter internals.If any code still uses CancelToken or axios/lib adapters, update to AbortController and public adapters.
examples/wallet/package.json (1)
27-27: LGTM. Confirm runtime Node version compatibility in CI.Ensure CI/build images meet axios 1.12.x Node engine support to avoid pipeline surprises.
packages/xchain-thorchain/package.json (1)
52-52: LGTM. Pin looks consistent with workspace policy.No further changes needed; just ensure lockfile updated and CI caches are invalidated so the pipeline uses 1.12.1.
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
packages/xchain-mayamidgard/package.json (1)
36-38: Correct to keep axios as a runtime dependency for generated clients.Pinning avoids generator/axios drift. Consider adding a root “resolutions”/“overrides” entry to force transitive axios to 1.12.1 as well (optional).
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (18)
packages/xchain-aggregator/package.json(1 hunks)packages/xchain-bitcoin/package.json(1 hunks)packages/xchain-bitcoincash/package.json(1 hunks)packages/xchain-client/package.json(1 hunks)packages/xchain-dash/package.json(1 hunks)packages/xchain-doge/package.json(1 hunks)packages/xchain-evm-providers/package.json(1 hunks)packages/xchain-evm/package.json(1 hunks)packages/xchain-litecoin/package.json(1 hunks)packages/xchain-mayachain-amm/package.json(1 hunks)packages/xchain-mayamidgard-query/package.json(1 hunks)packages/xchain-mayamidgard/package.json(1 hunks)packages/xchain-mayanode/package.json(1 hunks)packages/xchain-midgard-query/package.json(1 hunks)packages/xchain-midgard/package.json(1 hunks)packages/xchain-thorchain-amm/package.json(1 hunks)packages/xchain-thornode/package.json(1 hunks)packages/xchain-utxo-providers/package.json(1 hunks)
✅ Files skipped from review due to trivial changes (3)
- packages/xchain-doge/package.json
- packages/xchain-bitcoin/package.json
- packages/xchain-mayachain-amm/package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: build
🔇 Additional comments (12)
packages/xchain-dash/package.json (1)
49-53: Pin looks good; keep as devDependency.No runtime usage here, so devDependency is appropriate. Nothing else needed.
packages/xchain-client/package.json (1)
21-25: Runtime pin to [email protected] — OK; fix example and commit lockfileDependency is correctly runtime. Most workspace packages pin [email protected]; exception: examples/frameworks/vite-example/package.json currently uses "axios": "^1.6.1" — update it to 1.12.1. No yarn.lock found in the repo root; commit/update the repository lockfile (yarn.lock / package-lock.json / pnpm-lock.yaml) so installs resolve to the pinned version. yarn why shows transitive axios versions (1.10.0, 1.9.0, 1.7.7) coming from third‑party deps.
packages/xchain-evm/package.json (1)
47-52: OK to keep axios only for tests.devDependency + axios-mock-adapter pairing is consistent.
packages/xchain-bitcoincash/package.json (1)
49-55: LGTM on pin; scope limited to tests.No runtime dependency here; devDependency is correct.
packages/xchain-aggregator/package.json (1)
44-53: Dev-only usage confirmed — pin is fine.axios is only imported in packages/xchain-aggregator/mocks/axios-adapter.ts (used by files under mocks), so keeping it as a devDependency is correct. If aggregator ever makes runtime HTTP calls, promote axios to dependencies.
packages/xchain-thornode/package.json (1)
36-38: Runtime dependency pin makes sense for OpenAPI-generated client.No further changes needed.
packages/xchain-mayanode/package.json (1)
36-38: LGTM on axios pin as a runtime dependency.Matches the generator’s expectations; safe to ship.
packages/xchain-utxo-providers/package.json (1)
34-35: Pin looks good; aligns with repo-wide axios upgrade.Helps pipeline reproducibility and picks up security fixes mentioned above. Consider a root-level “resolutions/overrides” to keep workspaces on one axios if you see duplication. (ibm.com)
Use the same script from the first comment to confirm no remaining ^ ranges or older axios versions.
packages/xchain-midgard-query/package.json (1)
38-40: LGTM: axios pinned to 1.12.1.Covers the SSRF fix (>=1.8.2) and DoS fix (>=1.12.0). (rapid7.com)
packages/xchain-evm-providers/package.json (1)
34-36: LGTM: bump axios → 1.12.1.yarn.lock contains axios-retry 3.x (3.2.5 and ^3.9.1 → resolved 3.9.1); confirm axios-retry 3.x is compatible with axios >=1.7 fetch-adapter behavior or pin/upgrade retry middleware in consumers.
packages/xchain-midgard/package.json (1)
37-38: LGTM: axios pinned to 1.12.1.Brings in the SSRF and DoS fixes already referenced. (ibm.com)
packages/xchain-thorchain-amm/package.json (1)
60-62: DevDependency pin to 1.12.1 looks good.Keep an eye on any dev tooling using axios-mock-adapter; current releases support axios 1.x, so no action expected. (github.com)
| "axios": "1.12.1", | ||
| "bitcoinjs-lib": "^6.1.7", | ||
| "coinselect": "3.1.12", | ||
| "ecpair": "2.1.0" |
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
LGTM: dependency pin to 1.12.1.
No further changes needed here. If this package is consumed by others, double-check the workspace lockfile yields a single axios copy. (cdnjs.com)
🏁 Script executed:
#!/bin/bash
# Verify only one version of axios is locked
fd -a 'yarn.lock' -x rg -n '^axios@' {}Length of output: 0
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "1) Show axios entry in packages/xchain-litecoin/package.json (if present):"
rg -n -C2 '"axios"\s*:' packages/xchain-litecoin/package.json || true
echo
echo "2) Find any package.json that mentions axios (dependencies/devDependencies/peerDependencies):"
rg -n --hidden --no-ignore-vcs -S '"axios"\s*:\s*".+?"' || true
echo
echo "3) Inspect lockfiles for axios entries (yarn.lock, package-lock.json, pnpm-lock.yaml, npm-shrinkwrap.json):"
find . -type f \( -name 'yarn.lock' -o -name 'package-lock.json' -o -name 'pnpm-lock.yaml' -o -name 'npm-shrinkwrap.json' \) -print 2>/dev/null | while read -r lock; do
echo "---- $lock ----"
rg -n --hidden --no-ignore-vcs -S 'axios@|\"axios\"|axios-[0-9]+\.[0-9]+\.[0-9]+' "$lock" || true
done
echo
echo "4) Heuristic: list distinct axios version strings found anywhere:"
rg -o --hidden --no-ignore-vcs -S 'axios@?([^\s:,"]*?)([0-9]+\.[0-9]+\.[0-9]+)' || true
rg -o --hidden --no-ignore-vcs -S 'axios-[0-9]+\.[0-9]+\.[0-9]+' || trueLength of output: 2900
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Looking for lockfiles..."
locks=$(find . -type f \( -name 'yarn.lock' -o -name 'package-lock.json' -o -name 'pnpm-lock.yaml' -o -name 'npm-shrinkwrap.json' \) -print)
if [ -z "$locks" ]; then
echo "No lockfiles found."
exit 0
fi
for lock in $locks; do
echo
echo "---- $lock ----"
# Show any lines that mention axios with small context
rg -n --hidden --no-ignore-vcs -F 'axios' "$lock" -C3 || true
echo
# If yarn.lock, print entire axios blocks (entry + next 8 lines) to capture 'version' lines
if [[ "$(basename "$lock")" == "yarn.lock" ]]; then
echo "Axios blocks from yarn.lock (entry + 8 lines):"
sed -n '/^axios@/,+8p' "$lock" || true
echo
echo "Distinct semver strings found in those axios blocks:"
sed -n '/^axios@/,+8p' "$lock" | rg -oE '([0-9]+\.[0-9]+\.[0-9]+)' | sort -u || true
else
echo "Heuristic: distinct semver strings near axios occurrences in $lock:"
# show semver candidates near lines containing axios
rg -n --hidden --no-ignore-vcs -F 'axios' "$lock" -C3 | rg -oE '([0-9]+\.[0-9]+\.[0-9]+)' | sort -u || true
fi
echo "---- end $lock ----"
done
echo
echo "Also listing package.json files that declare axios and their declared ranges:"
rg -n --hidden --no-ignore-vcs -S '"axios"\s*:\s*".+?"' || trueLength of output: 16172
Unify axios to a single version in the workspace lockfile
yarn.lock contains axios versions 1.12.1, 1.10.0, 1.9.0 and 1.7.7. Most packages under packages/* pin "axios":"1.12.1" but examples/frameworks/vite-example/package.json uses "^1.6.1" and transitive deps (e.g. @ledgerhq/*) pull older versions. Add a root-level resolution or update the conflicting deps and run yarn install/dedupe; verify yarn.lock resolves only [email protected].
🤖 Prompt for AI Agents
In packages/xchain-litecoin/package.json around lines 44 to 47 you pin axios to
1.12.1 but the workspace yarn.lock contains multiple axios versions; add a
root-level resolution in the repository root package.json (or update conflicting
package.json files such as examples/frameworks/vite-example to use ^1.12.1 and
update any transitive deps) to force [email protected], then run yarn install and
yarn dedupe (or yarn install --mode=update-lockfile) to regenerate yarn.lock and
verify it only contains [email protected] before committing.
| "axios": "1.12.1", | ||
| "axios-retry": "^3.9.1" |
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Good pin: axios 1.12.1 fixes known CVEs and improves determinism.
- 1.8.2 patched the SSRF issue (CVE-2025-27152). (ibm.com)
- 1.12.0+ addresses a DoS via data: URLs; 1.12.1 is current and available on CDNs. (security.snyk.io)
Run to ensure no leftovers and a single hoisted version:
🏁 Script executed:
#!/bin/bash
# Show all axios specifiers not equal to "1.12.1"
rg -nP --glob '!**/node_modules/**' '"axios"\s*:\s*"(?!1\.12\.1)[^"]+"' -C2
# Inventory all axios versions across the repo
rg -nP --glob '!**/node_modules/**' '"axios"\s*:\s*"[^"]+"' | awk -F: '{print $1": "$0}' | sed -E 's/.*"axios":\s*"([^"]+)".*/\1/' | sort -u
# Check for multiple axios versions in lockfiles (if present)
fd -a 'yarn.lock' -x rg -n 'axios@' {}
fd -a 'pnpm-lock.yaml' -x rg -n 'axios@' {}
fd -a 'package-lock.json' -x rg -n '"axios@' {}Length of output: 575
Enforce a single hoisted [email protected] — lockfile contains older versions
Good pin: axios 1.12.1 fixes known CVEs and improves determinism.
- pnpm-lock.yaml shows [email protected], [email protected] (and axios@^1.9.0 → resolved 1.10.0) alongside [email protected]; vulnerable/older versions remain. Update dependent packages or add a top-level override/resolution to force [email protected] and regenerate the lockfile.
🤖 Prompt for AI Agents
In packages/xchain-mayamidgard-query/package.json around lines 38-39, the
project declares [email protected] but the pnpm lockfile still contains older axios
versions (1.7.7, 1.9.x, 1.10.0); enforce a single hoisted [email protected] by either
updating dependent packages that pull older axios versions to versions that
depend on 1.12.1 or add a root-level override/resolution in the repo's
package.json (or pnpmfile) forcing axios to 1.12.1, then run pnpm install to
regenerate the lockfile and verify the lockfile only contains [email protected].
2 participants
Summary by CodeRabbit