chore(deps): bump axios to ^1.12.0 and refresh fetch-adapter test stubs#371
Merged
Conversation
Users installing zcli today already get axios 1.16.0 via the ^1.7.5 range, so CI should validate what users run. 1.16.0 also patches CVE-2025-58754 (affects <1.12.0) and CVE-2025-27152 (<1.8.2). Three stub updates for the new fetch adapter: - auth.test.ts: sinon.match now uses a predicate that reads request.headers.get(...) instead of deep-equal on a Headers instance (which doesn't work across instances). - import.test.ts / update.test.ts: upload stubs include headers: new Headers() so axios' maxContentLength check can call response.headers.get('content-length'). Also add --frozen-lockfile to CI so the install can't silently drift off the lockfile.
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the monorepo’s axios dependency to 1.16.0 (matching what users already resolve today and addressing cited CVEs), and adjusts fetch-adapter-related tests/CI to be compatible and deterministic.
Changes:
- Pin axios to
1.16.0in workspace packages and refreshyarn.lockfor the new transitive graph. - Update fetch stubs/matchers in tests to align with axios fetch-adapter request/response shapes.
- Make CI installs deterministic by using
yarn install --frozen-lockfile.
Reviewed changes
Copilot reviewed 8 out of 9 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
yarn.lock |
Adds lock entries for axios 1.16.0 and updated transitive deps. |
packages/zcli-themes/tests/functional/update.test.ts |
Adjusts S3 upload fetch stub to include headers. |
packages/zcli-themes/tests/functional/import.test.ts |
Adjusts S3 upload fetch stub to include headers. |
packages/zcli-themes/package.json |
Pins axios to 1.16.0. |
packages/zcli-core/src/lib/auth.test.ts |
Makes fetch request matching less brittle under the newer fetch adapter behavior. |
packages/zcli-core/package.json |
Pins axios to 1.16.0. |
packages/zcli-connectors/package.json |
Pins axios to 1.16.0. |
packages/zcli-apps/package.json |
Pins axios to 1.16.0. |
.github/workflows/test.yml |
Uses --frozen-lockfile to prevent lock drift during CI installs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
mmassaki
previously approved these changes
May 8, 2026
Contributor
mmassaki
left a comment
mmassaki
left a comment
There was a problem hiding this comment.
Thank you for fixing this issue :)
mmassaki
dismissed
their stale review
Sorry, I realized we shouldn't enforce the latest version of axios in package.json.
mmassaki
reviewed
May 8, 2026
Per review: the exact 1.16.0 pin was overkill when the lockfile already pins the installed version deterministically. ^1.12.0 is narrow enough to exclude the CVE-affected <1.12.0 range and give consumers of these packages flexibility when they dedupe with their own axios. Also collapse the lockfile so axios@^1.0.0 (transitive via lerna>nx) resolves onto the same 1.16.0 as our packages instead of a stale 1.8.4, clearing the remaining axios advisories.
mmassaki
approved these changes
May 11, 2026
Contributor
|
Thanks for addressing my comments. @zendesk/vegemite @zendesk/vikings , could you please review this PR? |
BrunoBFerreira
approved these changes
May 11, 2026
Contributor
BrunoBFerreira
left a comment
BrunoBFerreira
left a comment
There was a problem hiding this comment.
Approved. I noticed the Copilot review comments but I have noticed we have a similar approach in other tests as well.
Is it worth considering this an improvement for a future PR?
Thank you for the work 🙏
luis-almeida
changed the title
saikambaiyyagari
approved these changes
May 13, 2026
Contributor
saikambaiyyagari
left a comment
saikambaiyyagari
left a comment
There was a problem hiding this comment.
narrow 👍🏾 for Vegemite owned files
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Alternative to #370. Users installing zcli today already get axios
1.16.0via the^1.7.5range, so CI should validate what users actually run rather than pinning to the old1.8.4. 1.16.0 also patches CVE-2025-58754 (affects<1.12.0) and CVE-2025-27152 (<1.8.2).Trade-off vs #370: fixes test stubs against the newer fetch adapter rather than keeping old stubs working against an older axios. Same effective unblock; healthier long-term posture.
References
Risks
Low.
1.16.0is whatyarn installon master already resolves to today. Test stub changes are internal-only.