From 6ecdaa1052ee4c3960fcd30f9388af96f91d5053 Mon Sep 17 00:00:00 2001 From: Luis Almeida Date: Thu, 7 May 2026 16:41:27 +0200 Subject: [PATCH 1/2] chore(deps): bump axios to 1.16.0 and refresh fetch-adapter test stubs Users installing zcli today already get axios 1.16.0 via the ^1.7.5 range, so CI should validate what users run. 1.16.0 also patches CVE-2025-58754 (affects <1.12.0) and CVE-2025-27152 (<1.8.2). Three stub updates for the new fetch adapter: - auth.test.ts: sinon.match now uses a predicate that reads request.headers.get(...) instead of deep-equal on a Headers instance (which doesn't work across instances). - import.test.ts / update.test.ts: upload stubs include headers: new Headers() so axios' maxContentLength check can call response.headers.get('content-length'). Also add --frozen-lockfile to CI so the install can't silently drift off the lockfile. --- .github/workflows/test.yml | 2 +- packages/zcli-apps/package.json | 2 +- packages/zcli-connectors/package.json | 2 +- packages/zcli-core/package.json | 2 +- packages/zcli-core/src/lib/auth.test.ts | 52 +++++++------------ packages/zcli-themes/package.json | 2 +- .../tests/functional/import.test.ts | 2 + .../tests/functional/update.test.ts | 2 + yarn.lock | 32 +++++++++++- 9 files changed, 60 insertions(+), 38 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 71ccfea6..11c52235 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -36,7 +36,7 @@ jobs: restore-keys: | node-modules-${{ runner.os }}-${{ hashFiles('**/package.json') }}- node-modules-${{ runner.os }}- - - run: yarn install + - run: yarn install --frozen-lockfile - run: yarn lint - run: yarn test - run: yarn test:functional diff --git a/packages/zcli-apps/package.json b/packages/zcli-apps/package.json index 8b74a947..bf60714f 100644 --- a/packages/zcli-apps/package.json +++ b/packages/zcli-apps/package.json @@ -19,7 +19,7 @@ "dependencies": { "adm-zip": "0.5.10", "archiver": "^5.3.1", - "axios": "^1.7.5", + "axios": "1.16.0", "chalk": "^4.1.2", "cors": "^2.8.5", "express": "^4.21.2", diff --git a/packages/zcli-connectors/package.json b/packages/zcli-connectors/package.json index 7b4690d5..8e31e641 100644 --- a/packages/zcli-connectors/package.json +++ b/packages/zcli-connectors/package.json @@ -23,7 +23,7 @@ "@rollup/plugin-node-resolve": "^15.0.0", "adm-zip": "0.5.10", "archiver": "^5.3.1", - "axios": "^1.7.5", + "axios": "1.16.0", "chalk": "^4.1.2", "fs-extra": "^10.0.0", "rimraf": "^3.0.2", diff --git a/packages/zcli-core/package.json b/packages/zcli-core/package.json index 82d642ee..9d46edce 100644 --- a/packages/zcli-core/package.json +++ b/packages/zcli-core/package.json @@ -24,7 +24,7 @@ }, "dependencies": { "@oclif/plugin-plugins": "=2.1.12", - "axios": "^1.7.5", + "axios": "1.16.0", "chalk": "^4.1.2", "fs-extra": "^10.1.0" }, diff --git a/packages/zcli-core/src/lib/auth.test.ts b/packages/zcli-core/src/lib/auth.test.ts index a47306b3..8c0b0bf9 100644 --- a/packages/zcli-core/src/lib/auth.test.ts +++ b/packages/zcli-core/src/lib/auth.test.ts @@ -93,14 +93,11 @@ describe('Auth', () => { promptStub.onFirstCall().resolves('z3ntest') promptStub.onSecondCall().resolves('test@zendesk.com') promptStub.onThirdCall().resolves('123456') - fetchStub.withArgs(sinon.match({ - method: 'GET', - url: 'https://z3ntest.zendesk.com/api/v2/account/settings.json', - headers: new Headers({ - Accept: 'application/json, text/plain, */*', - Authorization: 'Basic dGVzdEB6ZW5kZXNrLmNvbS90b2tlbjoxMjM0NTY=' - }) - })) + fetchStub.withArgs(sinon.match((req: Request) => + req.method === 'GET' && + req.url === 'https://z3ntest.zendesk.com/api/v2/account/settings.json' && + req.headers.get('Authorization') === 'Basic dGVzdEB6ZW5kZXNrLmNvbS90b2tlbjoxMjM0NTY=' + )) .resolves({ status: 200, ok: true, @@ -120,14 +117,11 @@ describe('Auth', () => { promptStub.onFirstCall().resolves('z3ntest') promptStub.onSecondCall().resolves('test@zendesk.com') promptStub.onThirdCall().resolves('123456') - fetchStub.withArgs(sinon.match({ - method: 'GET', - url: 'https://z3ntest.example.com/api/v2/account/settings.json', - headers: new Headers({ - Accept: 'application/json, text/plain, */*', - Authorization: 'Basic dGVzdEB6ZW5kZXNrLmNvbS90b2tlbjoxMjM0NTY=' - }) - })) + fetchStub.withArgs(sinon.match((req: Request) => + req.method === 'GET' && + req.url === 'https://z3ntest.example.com/api/v2/account/settings.json' && + req.headers.get('Authorization') === 'Basic dGVzdEB6ZW5kZXNrLmNvbS90b2tlbjoxMjM0NTY=' + )) .resolves({ status: 200, ok: true, @@ -146,14 +140,11 @@ describe('Auth', () => { promptStub.reset() promptStub.onFirstCall().resolves('test@zendesk.com') promptStub.onSecondCall().resolves('123456') - fetchStub.withArgs(sinon.match({ - method: 'GET', - url: 'https://z3ntest.example.com/api/v2/account/settings.json', - headers: new Headers({ - Accept: 'application/json, text/plain, */*', - Authorization: 'Basic dGVzdEB6ZW5kZXNrLmNvbS90b2tlbjoxMjM0NTY=' - }) - })) + fetchStub.withArgs(sinon.match((req: Request) => + req.method === 'GET' && + req.url === 'https://z3ntest.example.com/api/v2/account/settings.json' && + req.headers.get('Authorization') === 'Basic dGVzdEB6ZW5kZXNrLmNvbS90b2tlbjoxMjM0NTY=' + )) .resolves({ status: 200, ok: true, @@ -173,14 +164,11 @@ describe('Auth', () => { promptStub.onFirstCall().resolves('z3ntest') promptStub.onSecondCall().resolves('test@zendesk.com') promptStub.onThirdCall().resolves('123456') - fetchStub.withArgs(sinon.match({ - method: 'GET', - url: 'https://z3ntest.zendesk.com/api/v2/account/settings.json', - headers: new Headers({ - Accept: 'application/json, text/plain, */*', - Authorization: 'Basic dGVzdEB6ZW5kZXNrLmNvbS90b2tlbjoxMjM0NTY=' - }) - })) + fetchStub.withArgs(sinon.match((req: Request) => + req.method === 'GET' && + req.url === 'https://z3ntest.zendesk.com/api/v2/account/settings.json' && + req.headers.get('Authorization') === 'Basic dGVzdEB6ZW5kZXNrLmNvbS90b2tlbjoxMjM0NTY=' + )) .resolves({ status: 403, ok: false, diff --git a/packages/zcli-themes/package.json b/packages/zcli-themes/package.json index f6a573a6..c6ee2ea2 100644 --- a/packages/zcli-themes/package.json +++ b/packages/zcli-themes/package.json @@ -19,7 +19,7 @@ "dependencies": { "@types/inquirer": "^8.0.0", "@types/ws": "^8.5.4", - "axios": "^1.7.5", + "axios": "1.16.0", "chalk": "^4.1.2", "chokidar": "^3.5.3", "cors": "^2.8.5", diff --git a/packages/zcli-themes/tests/functional/import.test.ts b/packages/zcli-themes/tests/functional/import.test.ts index 28b60020..e690d720 100644 --- a/packages/zcli-themes/tests/functional/import.test.ts +++ b/packages/zcli-themes/tests/functional/import.test.ts @@ -58,6 +58,7 @@ describe('themes:import', function () { })).resolves({ status: 200, ok: true, + headers: new Headers(), text: () => Promise.resolve('') }) }) @@ -155,6 +156,7 @@ describe('themes:import', function () { })).resolves({ status: 200, ok: true, + headers: new Headers(), text: () => Promise.resolve('') }) }) diff --git a/packages/zcli-themes/tests/functional/update.test.ts b/packages/zcli-themes/tests/functional/update.test.ts index 1f0d6d41..46bd5b37 100644 --- a/packages/zcli-themes/tests/functional/update.test.ts +++ b/packages/zcli-themes/tests/functional/update.test.ts @@ -54,6 +54,7 @@ describe('themes:update', function () { })).resolves({ status: 200, ok: true, + headers: new Headers(), text: () => Promise.resolve('') }) }) @@ -147,6 +148,7 @@ describe('themes:update', function () { })).resolves({ status: 200, ok: true, + headers: new Headers(), text: () => Promise.resolve('') }) }) diff --git a/yarn.lock b/yarn.lock index c76e59aa..87afec51 100644 --- a/yarn.lock +++ b/yarn.lock @@ -3392,7 +3392,16 @@ at-least-node@^1.0.0: resolved "https://registry.yarnpkg.com/at-least-node/-/at-least-node-1.0.0.tgz#602cd4b46e844ad4effc92a8011a3c46e0238dc2" integrity sha512-+q/t7Ekv1EDY2l6Gda6LLiX14rU9TV20Wa3ofeQmwPFZbOMo9DXrLbOjFaaclkXKWidIaopwAObQDqwWtGUjqg== -axios@^1.0.0, axios@^1.7.5: +axios@1.16.0: + version "1.16.0" + resolved "https://registry.yarnpkg.com/axios/-/axios-1.16.0.tgz#f8e5dd931cef2a5f8c32216d5784eda2f8750eb7" + integrity sha512-6hp5CwvTPlN2A31g5dxnwAX0orzM7pmCRDLnZSX772mv8WDqICwFjowHuPs04Mc8deIld1+ejhtaMn5vp6b+1w== + dependencies: + follow-redirects "^1.16.0" + form-data "^4.0.5" + proxy-from-env "^2.1.0" + +axios@^1.0.0: version "1.8.4" resolved "https://registry.yarnpkg.com/axios/-/axios-1.8.4.tgz#78990bb4bc63d2cae072952d374835950a82f447" integrity sha512-eBSYY4Y68NNlHbHBMdeDmKNtDgXWhQsJcGqzO3iLUM0GraQFSS9cVgPX5I9b3lbdFKyYoAEGAZF1DwhTaljNAw== @@ -5244,6 +5253,11 @@ follow-redirects@^1.15.6: resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.9.tgz#a604fa10e443bf98ca94228d9eebcc2e8a2c8ee1" integrity sha512-gew4GsXizNgdoRyqmyfMHyAmXsZDk6mHkSxZFCzW9gwlbtOW44CDtYavM+y+72qD/Vq2l550kMF52DT8fOLJqQ== +follow-redirects@^1.16.0: + version "1.16.0" + resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.16.0.tgz#28474a159d3b9d11ef62050a14ed60e4df6d61bc" + integrity sha512-y5rN/uOsadFT/JfYwhxRS5R7Qce+g3zG97+JrtFZlC9klX/W5hD7iiLzScI4nZqUS7DNUdhPgw4xI8W2LuXlUw== + foreground-child@^2.0.0: version "2.0.0" resolved "https://registry.yarnpkg.com/foreground-child/-/foreground-child-2.0.0.tgz#71b32800c9f15aa8f2f83f4a6bd9bff35d861a53" @@ -5271,6 +5285,17 @@ form-data@^4.0.0: hasown "^2.0.2" mime-types "^2.1.12" +form-data@^4.0.5: + version "4.0.5" + resolved "https://registry.yarnpkg.com/form-data/-/form-data-4.0.5.tgz#b49e48858045ff4cbf6b03e1805cebcad3679053" + integrity sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w== + dependencies: + asynckit "^0.4.0" + combined-stream "^1.0.8" + es-set-tostringtag "^2.1.0" + hasown "^2.0.2" + mime-types "^2.1.12" + forwarded@0.2.0: version "0.2.0" resolved "https://registry.yarnpkg.com/forwarded/-/forwarded-0.2.0.tgz#2269936428aad4c15c7ebe9779a84bf0b2a81811" @@ -8042,6 +8067,11 @@ proxy-from-env@^1.1.0: resolved "https://registry.yarnpkg.com/proxy-from-env/-/proxy-from-env-1.1.0.tgz#e102f16ca355424865755d2c9e8ea4f24d58c3e2" integrity sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg== +proxy-from-env@^2.1.0: + version "2.1.0" + resolved "https://registry.yarnpkg.com/proxy-from-env/-/proxy-from-env-2.1.0.tgz#a7487568adad577cfaaa7e88c49cab3ab3081aba" + integrity sha512-cJ+oHTW1VAEa8cJslgmUZrc+sjRKgAKl3Zyse6+PV38hZe/V6Z14TbCuXcan9F9ghlz4QrFr2c92TNF82UkYHA== + pump@^3.0.0: version "3.0.0" resolved "https://registry.yarnpkg.com/pump/-/pump-3.0.0.tgz#b4a2116815bde2f4e1ea602354e8c75565107a64" From a6012962def93b04243fa1f12b1a78c74779e41d Mon Sep 17 00:00:00 2001 From: Luis Almeida Date: Fri, 8 May 2026 10:17:51 +0200 Subject: [PATCH 2/2] chore(deps): relax axios range to ^1.12.0 and dedupe lockfile Per review: the exact 1.16.0 pin was overkill when the lockfile already pins the installed version deterministically. ^1.12.0 is narrow enough to exclude the CVE-affected <1.12.0 range and give consumers of these packages flexibility when they dedupe with their own axios. Also collapse the lockfile so axios@^1.0.0 (transitive via lerna>nx) resolves onto the same 1.16.0 as our packages instead of a stale 1.8.4, clearing the remaining axios advisories. --- packages/zcli-apps/package.json | 2 +- packages/zcli-connectors/package.json | 2 +- packages/zcli-core/package.json | 2 +- packages/zcli-themes/package.json | 2 +- yarn.lock | 21 +-------------------- 5 files changed, 5 insertions(+), 24 deletions(-) diff --git a/packages/zcli-apps/package.json b/packages/zcli-apps/package.json index bf60714f..06534961 100644 --- a/packages/zcli-apps/package.json +++ b/packages/zcli-apps/package.json @@ -19,7 +19,7 @@ "dependencies": { "adm-zip": "0.5.10", "archiver": "^5.3.1", - "axios": "1.16.0", + "axios": "^1.12.0", "chalk": "^4.1.2", "cors": "^2.8.5", "express": "^4.21.2", diff --git a/packages/zcli-connectors/package.json b/packages/zcli-connectors/package.json index 8e31e641..5404c2ba 100644 --- a/packages/zcli-connectors/package.json +++ b/packages/zcli-connectors/package.json @@ -23,7 +23,7 @@ "@rollup/plugin-node-resolve": "^15.0.0", "adm-zip": "0.5.10", "archiver": "^5.3.1", - "axios": "1.16.0", + "axios": "^1.12.0", "chalk": "^4.1.2", "fs-extra": "^10.0.0", "rimraf": "^3.0.2", diff --git a/packages/zcli-core/package.json b/packages/zcli-core/package.json index 9d46edce..74754e2b 100644 --- a/packages/zcli-core/package.json +++ b/packages/zcli-core/package.json @@ -24,7 +24,7 @@ }, "dependencies": { "@oclif/plugin-plugins": "=2.1.12", - "axios": "1.16.0", + "axios": "^1.12.0", "chalk": "^4.1.2", "fs-extra": "^10.1.0" }, diff --git a/packages/zcli-themes/package.json b/packages/zcli-themes/package.json index c6ee2ea2..ec960704 100644 --- a/packages/zcli-themes/package.json +++ b/packages/zcli-themes/package.json @@ -19,7 +19,7 @@ "dependencies": { "@types/inquirer": "^8.0.0", "@types/ws": "^8.5.4", - "axios": "1.16.0", + "axios": "^1.12.0", "chalk": "^4.1.2", "chokidar": "^3.5.3", "cors": "^2.8.5", diff --git a/yarn.lock b/yarn.lock index 87afec51..3ff886ec 100644 --- a/yarn.lock +++ b/yarn.lock @@ -3392,7 +3392,7 @@ at-least-node@^1.0.0: resolved "https://registry.yarnpkg.com/at-least-node/-/at-least-node-1.0.0.tgz#602cd4b46e844ad4effc92a8011a3c46e0238dc2" integrity sha512-+q/t7Ekv1EDY2l6Gda6LLiX14rU9TV20Wa3ofeQmwPFZbOMo9DXrLbOjFaaclkXKWidIaopwAObQDqwWtGUjqg== -axios@1.16.0: +axios@^1.0.0, axios@^1.12.0: version "1.16.0" resolved "https://registry.yarnpkg.com/axios/-/axios-1.16.0.tgz#f8e5dd931cef2a5f8c32216d5784eda2f8750eb7" integrity sha512-6hp5CwvTPlN2A31g5dxnwAX0orzM7pmCRDLnZSX772mv8WDqICwFjowHuPs04Mc8deIld1+ejhtaMn5vp6b+1w== @@ -3401,15 +3401,6 @@ axios@1.16.0: form-data "^4.0.5" proxy-from-env "^2.1.0" -axios@^1.0.0: - version "1.8.4" - resolved "https://registry.yarnpkg.com/axios/-/axios-1.8.4.tgz#78990bb4bc63d2cae072952d374835950a82f447" - integrity sha512-eBSYY4Y68NNlHbHBMdeDmKNtDgXWhQsJcGqzO3iLUM0GraQFSS9cVgPX5I9b3lbdFKyYoAEGAZF1DwhTaljNAw== - dependencies: - follow-redirects "^1.15.6" - form-data "^4.0.0" - proxy-from-env "^1.1.0" - babel-plugin-polyfill-corejs2@^0.4.15: version "0.4.17" resolved "https://registry.yarnpkg.com/babel-plugin-polyfill-corejs2/-/babel-plugin-polyfill-corejs2-0.4.17.tgz#198f970f1c99a856b466d1187e88ce30bd199d91" @@ -5248,11 +5239,6 @@ flatted@^3.1.0: resolved "https://registry.yarnpkg.com/flatted/-/flatted-3.2.6.tgz#022e9218c637f9f3fc9c35ab9c9193f05add60b2" integrity sha512-0sQoMh9s0BYsm+12Huy/rkKxVu4R1+r96YX5cG44rHV0pQ6iC3Q+mkoMFaGWObMFYQxCVT+ssG1ksneA2MI9KQ== -follow-redirects@^1.15.6: - version "1.15.9" - resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.9.tgz#a604fa10e443bf98ca94228d9eebcc2e8a2c8ee1" - integrity sha512-gew4GsXizNgdoRyqmyfMHyAmXsZDk6mHkSxZFCzW9gwlbtOW44CDtYavM+y+72qD/Vq2l550kMF52DT8fOLJqQ== - follow-redirects@^1.16.0: version "1.16.0" resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.16.0.tgz#28474a159d3b9d11ef62050a14ed60e4df6d61bc" @@ -8062,11 +8048,6 @@ proxy-addr@~2.0.7: forwarded "0.2.0" ipaddr.js "1.9.1" -proxy-from-env@^1.1.0: - version "1.1.0" - resolved "https://registry.yarnpkg.com/proxy-from-env/-/proxy-from-env-1.1.0.tgz#e102f16ca355424865755d2c9e8ea4f24d58c3e2" - integrity sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg== - proxy-from-env@^2.1.0: version "2.1.0" resolved "https://registry.yarnpkg.com/proxy-from-env/-/proxy-from-env-2.1.0.tgz#a7487568adad577cfaaa7e88c49cab3ab3081aba"