Skip to content

Allow patched Axios 1.x releases#200

Open
kangkona wants to merge 1 commit into
larksuite:mainfrom
kangkona:codex/allow-patched-axios
Open

Allow patched Axios 1.x releases#200
kangkona wants to merge 1 commit into
larksuite:mainfrom
kangkona:codex/allow-patched-axios

Conversation

@kangkona

Copy link
Copy Markdown

Summary

  • raise the Axios runtime dependency from ~1.13.3 to ^1.16.0
  • refresh yarn.lock, resolving the tested tree to Axios 1.18.1
  • keep the change limited to the dependency declaration and generated lockfile

Why

The tilde range keeps consumers on Axios 1.13.x and prevents package managers from selecting current patched 1.x minors. The current Axios advisories reported against the locked version have a highest patched-version floor of >=1.16.0. Using a caret range preserves that security floor while allowing future compatible 1.x security releases.

This changes no SDK API. A fresh install resolves Axios 1.18.1 and its updated transitive dependencies.

Closes #199.

Validation

  • yarn build — passed; Rollup emitted project-wide TypeScript/unresolved-dependency warnings unrelated to this two-file dependency diff
  • yarn test --runInBand — 46 suites and 450 tests passed
  • yarn check --integrity — passed
  • npm pack --dry-run — passed for @larksuiteoapi/node-sdk@1.71.0
  • Axios-filtered yarn audit — 0 advisories after the update

The full repository audit still reports findings in other dependencies (including protobufjs and ws). Those are intentionally outside this narrowly scoped Axios remediation.

The existing tilde range traps clean installs on Axios 1.13.x even though current advisories are fixed in 1.16.0 and later. Raise the security floor and allow compatible 1.x minor releases so consumers can receive present and future fixes without overrides.

Constraint: Current Axios advisories require 1.16.0 or newer
Rejected: Pin Axios 1.18.1 exactly | would block compatible future security releases
Confidence: high
Scope-risk: narrow
Reversibility: clean
Directive: Keep the Axios minimum at or above the latest reviewed advisory floor
Tested: yarn build; 46 suites and 450 tests; yarn check --integrity; npm pack --dry-run; Axios-filtered yarn audit
Not-tested: Live Lark API request because no upstream test credentials are available
Related: larksuite#199
@CLAassistant

CLAassistant commented Jul 13, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

@CLAassistant

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@kangkona kangkona marked this pull request as ready for review July 13, 2026 18:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security: axios ~1.13.3 blocks fixes available in >=1.16.0

2 participants