Security: `axios` pin `1.13.6` is outdated — please update to `1.16.0`

[Hg347]

Background

PR #631 intentionally pinned axios to 1.13.6 to block the compromised axios@1.14.1 supply-chain release. That was the right call at the time.

Problem

axios@1.13.6 is now itself vulnerable to two moderate advisories published since the pin was set. Versions 1.16.0 are clean and patch both. Keeping the exact pin means every consumer of @coinbase/cdp-sdk gets flagged by npm audit with no standard way to resolve it — exact pins block npm update.

Advisories affecting axios@1.13.6

GHSA	CVE	Severity	Description	Affected range	Patched in
GHSA-fvcv-3m26-pcqx	CVE-2026-40175	Moderate	Unrestricted Cloud Metadata Exfiltration via Header Injection Chain	>=1.0.0, <1.15.0	1.15.0
GHSA-3p68-rc4w-qgx5	CVE-2025-62718	Moderate	NO_PROXY Hostname Normalization Bypass leading to SSRF	>=1.0.0, <1.15.0	1.15.0

Both are introduced after 1.13.6 was pinned and are only fixed in 1.15.0. All other known axios advisories were already patched before 1.13.6.

Why 1.14.1 is not a safe intermediate

axios@1.14.1 was the compromised supply-chain release that triggered PR #631. Versions 1.14.0 and 1.14.1 should be avoided. 1.15.0 is the first clean release that also patches the two CVEs above. The current latest clean release is 1.16.0.

Suggested fix

- "axios": "1.13.6"
+ "axios": "^1.16.0"

A semver range rather than an exact pin allows consumers to receive security patches via npm update and npm audit fix without needing workarounds.

Observed in

• @coinbase/cdp-sdk@1.48.2
• Transitively via @base-org/account@2.4.0 → @reown/appkit-adapter-ethers@1.8.19

Steps to reproduce

npm install @reown/appkit-adapter-ethers
npm audit
# → 2 moderate findings for axios (GHSA-fvcv-3m26-pcqx, GHSA-3p68-rc4w-qgx5)
npm update axios
npm audit
# → findings persist because of the exact pin in @coinbase/cdp-sdk

[ParakhJaggi]

@0xRAG can we get some eyes on this?

[sddioulde]

updated! @coinbase/cdp-sdk v1.49.2 is. on axios@1.16.0