Skip to content

Security: bump axios, form-data, markdown-it#25

Open
scsmith wants to merge 2 commits into
mainfrom
axios-form-data-security
Open

Security: bump axios, form-data, markdown-it#25
scsmith wants to merge 2 commits into
mainfrom
axios-form-data-security

Conversation

@scsmith

@scsmith scsmith commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Bumps to clear open Dependabot/audit findings on the published cloudmailin SDK:

  • axios 1.15.2 → 1.18.0 (runtime, direct) — clears 6 high + 1 low alerts (proxy-auth/redirect leaks, NO_PROXY bypass, config.proxy prototype-pollution MitM, cookie-name ReDoS, unbounded resource allocation). Floor raised to ^1.18.0 so consumers resolve a patched version.
  • form-data → 4.0.6 (transitive via axios) — clears a high CRLF-injection advisory caught by npm audit of the resolved tree.
  • markdown-it → 14.2.0 (dev, via typedoc) — clears a moderate smartquotes DoS.

All in-range, non-breaking. npm audit --omit=dev now reports 0; tsc build and the unit suite pass. (Integration tests require live credentials and are unaffected.)

scsmith added 2 commits June 18, 2026 10:42
@scsmith
Bump axios to ^1.18.0 and patch form-data/markdown-it (security)
5aafb1d 
Clears 8 open Dependabot alerts (axios proxy/redirect/ReDoS highs + a
markdown-it DoS) plus a transitive form-data CRLF-injection high. axios is a
runtime dependency, so these shipped to consumers. All in-range patch bumps;
tsc build and unit tests pass.
@scsmith
Bump version to 0.3.2 for security release
b1f39eb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@scsmith