From a5c46ab955747d5f3f5095e273394a19737be9d9 Mon Sep 17 00:00:00 2001
From: "Morgan (Mycosoft Security)" <morgan@mycosoft.org>
Date: Tue, 31 Mar 2026 03:55:09 +0000
Subject: [PATCH] =?UTF-8?q?security:=20pin=20axios=20to=201.8.2=20?=
 =?UTF-8?q?=E2=80=94=20supply=20chain=20attack=20on=201.14.1?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CRITICAL: axios@1.14.1 has been compromised with a malicious dependency
(plain-crypto-js@4.2.1) via maintainer account takeover.

This pins axios to the known-safe version 1.8.2 to prevent
accidental resolution to the compromised release.

NOTE: This repo has no package-lock.json committed, making it
especially vulnerable. A lockfile should be generated and committed.

Reference: https://github.com/axios/axios/issues/10590
---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 739172b..c9114b6 100644
--- a/package.json
+++ b/package.json
@@ -7,7 +7,7 @@
     },
     "devDependencies": {
         "@tailwindcss/vite": "^4.0.0",
-        "axios": "^1.8.2",
+        "axios": "1.8.2",
         "concurrently": "^9.0.1",
         "laravel-vite-plugin": "^1.2.0",
         "tailwindcss": "^4.0.0",