diff --git a/examples/typescript/pnpm-lock.yaml b/examples/typescript/pnpm-lock.yaml index 561679bad..759efea23 100644 --- a/examples/typescript/pnpm-lock.yaml +++ b/examples/typescript/pnpm-lock.yaml @@ -54,11 +54,11 @@ importers: specifier: 1.0.6 version: 1.0.6(typescript@5.8.3)(zod@3.25.76) axios: - specifier: 1.13.6 - version: 1.13.6 + specifier: ^1.16.0 + version: 1.16.0 axios-retry: specifier: ^4.5.0 - version: 4.5.0(axios@1.13.6) + version: 4.5.0(axios@1.16.0) bs58: specifier: ^6.0.0 version: 6.0.0 @@ -662,8 +662,8 @@ packages: peerDependencies: axios: 0.x || 1.x - axios@1.13.6: - resolution: {integrity: sha512-ChTCHMouEe2kn713WHbQGcuYrr6fXTBiu460OTwWrWob16g1bXn4vtz07Ope7ewMozJAnEquLk5lWQWtBig9DQ==} + axios@1.16.0: + resolution: {integrity: sha512-6hp5CwvTPlN2A31g5dxnwAX0orzM7pmCRDLnZSX772mv8WDqICwFjowHuPs04Mc8deIld1+ejhtaMn5vp6b+1w==} base-x@5.0.1: resolution: {integrity: sha512-M7uio8Zt++eg3jPj+rHMfCC+IuygQHHCOU+IYsVtik6FWjuYpVt/+MRKcgsAMHh8mMFAwnB+Bs+mTrFiXjMzKg==} @@ -736,8 +736,8 @@ packages: fastestsmallesttextencoderdecoder@1.0.22: resolution: {integrity: sha512-Pb8d48e+oIuY4MaM64Cd7OW1gt4nxCHs7/ddPPZ/Ic3sg8yVGM7O9wDvZ7us6ScaUupzM+pfBolwtYhN1IxBIw==} - follow-redirects@1.15.11: - resolution: {integrity: sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==} + follow-redirects@1.16.0: + resolution: {integrity: sha512-y5rN/uOsadFT/JfYwhxRS5R7Qce+g3zG97+JrtFZlC9klX/W5hD7iiLzScI4nZqUS7DNUdhPgw4xI8W2LuXlUw==} engines: {node: '>=4.0'} peerDependencies: debug: '*' @@ -835,8 +835,9 @@ packages: ox: optional: true - proxy-from-env@1.1.0: - resolution: {integrity: sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==} + proxy-from-env@2.1.0: + resolution: {integrity: sha512-cJ+oHTW1VAEa8cJslgmUZrc+sjRKgAKl3Zyse6+PV38hZe/V6Z14TbCuXcan9F9ghlz4QrFr2c92TNF82UkYHA==} + engines: {node: '>=10'} resolve-pkg-maps@1.0.0: resolution: {integrity: sha512-seS2Tj26TBVOC2NIc2rOe2y2ZO7efxITtLZcGSOnHHNOQ7CkiUBfw0Iw2ck6xkIhPwLhKNLS8BO+hEpngQlqzw==} @@ -1455,16 +1456,16 @@ snapshots: asynckit@0.4.0: {} - axios-retry@4.5.0(axios@1.13.6): + axios-retry@4.5.0(axios@1.16.0): dependencies: - axios: 1.13.6 + axios: 1.16.0 is-retry-allowed: 2.2.0 - axios@1.13.6: + axios@1.16.0: dependencies: - follow-redirects: 1.15.11 + follow-redirects: 1.16.0 form-data: 4.0.5 - proxy-from-env: 1.1.0 + proxy-from-env: 2.1.0 transitivePeerDependencies: - debug @@ -1555,7 +1556,7 @@ snapshots: fastestsmallesttextencoderdecoder@1.0.22: optional: true - follow-redirects@1.15.11: {} + follow-redirects@1.16.0: {} form-data@4.0.5: dependencies: @@ -1650,7 +1651,7 @@ snapshots: dependencies: viem: 2.47.0(bufferutil@4.1.0)(typescript@5.8.3)(utf-8-validate@6.0.6)(zod@3.25.76) - proxy-from-env@1.1.0: {} + proxy-from-env@2.1.0: {} resolve-pkg-maps@1.0.0: {} diff --git a/typescript/.changeset/green-sites-peel.md b/typescript/.changeset/green-sites-peel.md new file mode 100644 index 000000000..cbee81bde --- /dev/null +++ b/typescript/.changeset/green-sites-peel.md @@ -0,0 +1,7 @@ +--- +"@coinbase/cdp-sdk": patch +--- + +Bump axios from `1.13.6` to `^1.16.0` in `typescript/src/package.json` to pick up security fixes for [GHSA-fvcv-3m26-pcqx](https://github.com/advisories/GHSA-fvcv-3m26-pcqx) (Cloud Metadata Exfiltration via Header Injection) and [GHSA-3p68-rc4w-qgx5](https://github.com/advisories/GHSA-3p68-rc4w-qgx5) (NO_PROXY Hostname Normalization Bypass leading to SSRF), both patched in `1.15.0`. The exact `1.13.6` pin (originally added in #631 to block the compromised `1.14.1` release) prevented consumers from receiving these patches via `npm update` / `npm audit fix`. A semver range allows future patch bumps without re-pinning. `1.14.x` is excluded by `^1.16.0`. + +Closes #681. diff --git a/typescript/pnpm-lock.yaml b/typescript/pnpm-lock.yaml index b7b08ef2c..f9d4aca7e 100644 --- a/typescript/pnpm-lock.yaml +++ b/typescript/pnpm-lock.yaml @@ -110,11 +110,11 @@ importers: specifier: 1.0.6 version: 1.0.6(typescript@5.9.3)(zod@3.25.76) axios: - specifier: 1.13.6 - version: 1.13.6 + specifier: ^1.16.0 + version: 1.16.0 axios-retry: specifier: ^4.5.0 - version: 4.5.0(axios@1.13.6) + version: 4.5.0(axios@1.16.0) bs58: specifier: ^6.0.0 version: 6.0.0 @@ -1881,8 +1881,8 @@ packages: peerDependencies: axios: 0.x || 1.x - axios@1.13.6: - resolution: {integrity: sha512-ChTCHMouEe2kn713WHbQGcuYrr6fXTBiu460OTwWrWob16g1bXn4vtz07Ope7ewMozJAnEquLk5lWQWtBig9DQ==} + axios@1.16.0: + resolution: {integrity: sha512-6hp5CwvTPlN2A31g5dxnwAX0orzM7pmCRDLnZSX772mv8WDqICwFjowHuPs04Mc8deIld1+ejhtaMn5vp6b+1w==} balanced-match@1.0.2: resolution: {integrity: sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==} @@ -2406,8 +2406,8 @@ packages: flatted@3.3.4: resolution: {integrity: sha512-3+mMldrTAPdta5kjX2G2J7iX4zxtnwpdA8Tr2ZSjkyPSanvbZAcy6flmtnXbEybHrDcU9641lxrMfFuUxVz9vA==} - follow-redirects@1.15.11: - resolution: {integrity: sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==} + follow-redirects@1.16.0: + resolution: {integrity: sha512-y5rN/uOsadFT/JfYwhxRS5R7Qce+g3zG97+JrtFZlC9klX/W5hD7iiLzScI4nZqUS7DNUdhPgw4xI8W2LuXlUw==} engines: {node: '>=4.0'} peerDependencies: debug: '*' @@ -3262,8 +3262,9 @@ packages: resolution: {integrity: sha512-Pdlw/oPxN+aXdmM9R00JVC9WVFoCLTKJvDVLgmJ+qAffBMxsV85l/Lu7sNx4zSzPyoL2euImuEwHhOXdEgNFZQ==} engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0} - proxy-from-env@1.1.0: - resolution: {integrity: sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==} + proxy-from-env@2.1.0: + resolution: {integrity: sha512-cJ+oHTW1VAEa8cJslgmUZrc+sjRKgAKl3Zyse6+PV38hZe/V6Z14TbCuXcan9F9ghlz4QrFr2c92TNF82UkYHA==} + engines: {node: '>=10'} punycode.js@2.3.1: resolution: {integrity: sha512-uxFIHU0YlHYhDQtV4R9J6a52SLx28BCjT+4ieh7IGbgwVJWO+km431c4yRlREUAsAmt/uMjQUyQHNEPf0M39CA==} @@ -5772,16 +5773,16 @@ snapshots: dependencies: possible-typed-array-names: 1.1.0 - axios-retry@4.5.0(axios@1.13.6): + axios-retry@4.5.0(axios@1.16.0): dependencies: - axios: 1.13.6 + axios: 1.16.0 is-retry-allowed: 2.2.0 - axios@1.13.6: + axios@1.16.0: dependencies: - follow-redirects: 1.15.11 + follow-redirects: 1.16.0 form-data: 4.0.5 - proxy-from-env: 1.1.0 + proxy-from-env: 2.1.0 transitivePeerDependencies: - debug @@ -6467,7 +6468,7 @@ snapshots: flatted@3.3.4: {} - follow-redirects@1.15.11: {} + follow-redirects@1.16.0: {} for-each@0.3.5: dependencies: @@ -7345,7 +7346,7 @@ snapshots: ansi-styles: 5.2.0 react-is: 18.3.1 - proxy-from-env@1.1.0: {} + proxy-from-env@2.1.0: {} punycode.js@2.3.1: {} diff --git a/typescript/src/package.json b/typescript/src/package.json index f447b9a0e..622036907 100644 --- a/typescript/src/package.json +++ b/typescript/src/package.json @@ -23,7 +23,7 @@ "@solana-program/token": "^0.9.0", "@solana/kit": "^5.5.1", "abitype": "1.0.6", - "axios": "1.13.6", + "axios": "^1.16.0", "axios-retry": "^4.5.0", "bs58": "^6.0.0", "jose": "^6.2.0",