Pin axios to safe version — supply chain attack on 1.14.1

## Summary

axios versions **1.14.1** and **0.30.4** were compromised in a supply chain attack on March 30, 2026. The attacker hijacked a maintainer's npm account and added a malicious dependency (`plain-crypto-js`) that acts as a cross-platform RAT dropper.

This repo's `package.json` declares `"axios": "^1.8.2"` — the caret range **could resolve to 1.14.1** on a fresh `npm install` if lockfiles aren't committed or are regenerated. The current lockfile resolves to **1.13.4** (safe), but this should be pinned to prevent accidental upgrade.

### Recommended action

Pin axios to a known-safe version in `package.json`:
```json
"axios": "1.14.0"
```

Or add a `resolutions`/`overrides` field to block the compromised version.

## References

- [The Hacker News: Axios Supply Chain Attack](https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html)
- [Socket.dev analysis](https://socket.dev/blog/axios-npm-package-compromised)
- [Snyk advisory](https://snyk.io/blog/axios-npm-package-compromised-supply-chain-attack-delivers-cross-platform/)
- [Vercel remediation steps](https://vercel.com/changelog/axios-package-compromise-and-remediation-steps)

The malicious versions have been removed from npm, but lockfile audits are recommended.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Pin axios to safe version — supply chain attack on 1.14.1 #177

Summary

Recommended action

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Pin axios to safe version — supply chain attack on 1.14.1 #177

Description

Summary

Recommended action

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions