fix(deps): upgrade axios to 1.15.2 to patch HIGH severity CVEs by bitgo-ai-agent-dev[bot] · Pull Request #8685 · BitGo/BitGoJS

bitgo-ai-agent-dev · 2026-05-05T09:25:00Z

Summary

Upgrades axios from 1.15.0 to 1.15.2 in the yarn resolutions block and root dependencies in package.json
This resolves all 4 HIGH severity advisories reported by improved-yarn-audit:
- GHSA-pmwg-cvhr-8vh7 — incomplete loopback SSRF fix (CVE-2026-42043), patched in 1.15.1
- GHSA-pf86-5x62-jrwf — prototype pollution leading to header injection (CVE-2026-42033), patched in 1.15.1
- GHSA-6chq-wfr3-2hj9 — header injection via prototype pollution (CVE-2026-42035), patched in 1.15.1
- GHSA-q8qp-cvcw-x6jj — (CVE-2026-42264), patched in 1.15.2

The resolution covers all transitive consumers of axios in the monorepo, including:

lerna > nx > axios
@bitgo/abstract-cosmos > @cosmjs/tendermint-rpc > axios
@bitgo/sdk-coin-asi, @bitgo/account-lib, bitgo, @bitgo/express (transitive chain)

yarn run improved-yarn-audit --min-severity high should no longer report any of the four axios advisories
Existing unit tests for sdk-coin-atom, sdk-coin-sui, and utxo-lib (packages with direct axios deps) pass
CI audit check passes

🤖 Generated with Claude Code

Upgrade axios from 1.15.0 to 1.15.2 in both the yarn resolutions and root dependencies to address HIGH severity advisories: - GHSA-pmwg-cvhr-8vh7 (patched in 1.15.1) - GHSA-pf86-5x62-jrwf (patched in 1.15.1) - GHSA-6chq-wfr3-2hj9 (patched in 1.15.1) - GHSA-q8qp-cvcw-x6jj (patched in 1.15.2) Ticket: CGD-1025

linear-code · 2026-05-05T09:25:03Z

bitgo-ai-agent-dev Bot requested a review from a team as a code owner May 5, 2026 09:25

bitgo-ai-agent-dev Bot force-pushed the fix/CGD-1025-axios-audit-vulnerabilities branch from d50373c to 0881169 Compare May 5, 2026 09:25

yashvanthbl137-crypto closed this May 5, 2026