references/plane
1
0
Fork 0
mirror of https://github.com/makeplane/plane.git synced 2026-06-13 19:19:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: bump npm deps to resolve Dependabot advisories (#9191)

Browse Source 
* fix: bump npm deps to resolve Dependabot advisories

Resolve 8 open Dependabot alerts (all npm, in pnpm-lock.yaml) by bumping
the affected packages in pnpm-workspace.yaml and regenerating the lockfile:

- axios 1.15.2 -> 1.16.0 (catalog): CVE-2026-44494/44492/44490/44489
- tmp -> 0.2.6 (override): CVE-2026-44705 path traversal
- ws 8.x -> 8.20.1 (catalog + scoped override): CVE-2026-45736
- qs 6.14.2 -> 6.15.2 (override): CVE-2026-8723 DoS
- brace-expansion 5.0.5 -> 5.0.6 (override): CVE-2026-45149 DoS

brace-expansion and qs were pinned to their vulnerable versions in the
overrides block, so the pins had to be bumped directly. ws is scoped to
the 8.x major (ws@7.5.10 is below the vulnerable >=8.0.0 floor). All bumps
are semver-compatible patch/minor upgrades; no source changes required.

* fix: use named axios `create` import after 1.16.0 bump

axios 1.16.0 newly exposes `create` as a named export, so oxlint's
import/no-named-as-default-member rule now flags `axios.create(...)`.
That added one warning to @plane/services (7 > its --max-warnings=6
baseline) and to apps/web and apps/live, failing check:lint — surfaced
on this PR because the lockfile change busts Turbo's lint cache.

Switch the three `axios.create(...)` call sites to a named `{ create }`
import. `create` is a real value+type export in axios 1.16.0 (verified
via tsc). isCancel/CancelToken are left as `axios.*`: CancelToken is
only a type export (cannot be a value import under verbatimModuleSyntax)
and both were already counted within the existing baselines.

Verified locally: full `pnpm check:lint` (16/16) and `check:types`
(15/15) pass.
This commit is contained in:
sriram veeraghanta
2026-06-01 18:37:35 +05:30
committed by GitHub
parent e388cb9125
commit 7ec8d4990f
5 changed files with 56 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/live/src/services/api.service.ts
+2 -2
View File
@@ -5,7 +5,7 @@
*/
import type { AxiosInstance } from "axios";
import axios from "axios";
import { create } from "axios";
import { env } from "@/env";
import { AppError } from "@/lib/errors";
@@ -16,7 +16,7 @@ export abstract class APIService {
constructor(baseURL?: string) {
this.baseURL = baseURL || env.API_BASE_URL;
this.axiosInstance = axios.create({
this.axiosInstance = create({
baseURL: this.baseURL,
withCredentials: true,
timeout: 20000,
apps/web/core/services/api.service.ts
+2 -2
View File
@@ -6,7 +6,7 @@
/* eslint-disable @typescript-eslint/no-explicit-any */
import type { AxiosInstance, AxiosRequestConfig } from "axios";
import axios from "axios";
import { create } from "axios";
export abstract class APIService {
protected baseURL: string;
@@ -14,7 +14,7 @@ export abstract class APIService {
constructor(baseURL: string) {
this.baseURL = baseURL;
this.axiosInstance = axios.create({
this.axiosInstance = create({
baseURL,
withCredentials: true,
});
packages/services/src/api.service.ts
+2 -2
View File
@@ -5,7 +5,7 @@
*/
import type { AxiosInstance, AxiosRequestConfig } from "axios";
import axios from "axios";
import { create } from "axios";
/**
* Abstract base class for making HTTP requests using axios
@@ -21,7 +21,7 @@ export abstract class APIService {
*/
constructor(baseURL: string) {
this.baseURL = baseURL;
this.axiosInstance = axios.create({
this.axiosInstance = create({
baseURL,
withCredentials: true,
});
pnpm-lock.yaml
Generated
+44 -42
View File
@@ -529,8 +529,8 @@ catalogs:
specifier: ^3.17.0
version: 3.17.0
ws:
specifier: ^8.18.3
version: 8.18.3
specifier: 8.20.1
version: 8.20.1
y-indexeddb:
specifier: ^9.0.12
version: 9.0.12
@@ -552,7 +552,7 @@ overrides:
mdast-util-to-hast: 13.2.1
valibot: 1.2.0
glob: 11.1.0
brace-expansion: 5.0.5
brace-expansion: 5.0.6
nanoid: 3.3.8
esbuild: 0.25.0
'@babel/helpers': 7.26.10
@@ -562,7 +562,7 @@ overrides:
'@types/express': 4.17.23
typescript: 5.8.3
vite: 7.3.2
qs: 6.14.2
qs: 6.15.2
diff: 5.2.2
webpack: 5.104.1
lodash-es: 4.18.1
@@ -582,10 +582,12 @@ overrides:
path-to-regexp: 0.1.13
defu: 6.1.5
postcss: 8.5.10
axios: 1.15.2
axios: 1.16.0
follow-redirects: 1.16.0
uuid: 14.0.0
fast-uri@<3.1.2: '>=3.1.2'
tmp: 0.2.6
ws@8: 8.20.1
importers:
@@ -655,8 +657,8 @@ importers:
specifier: 'catalog:'
version: 3.13.12
axios:
specifier: 1.15.2
version: 1.15.2
specifier: 1.16.0
version: 1.16.0
isbot:
specifier: 'catalog:'
version: 5.1.31
@@ -788,8 +790,8 @@ importers:
specifier: 'catalog:'
version: 2.26.2(@tiptap/core@2.26.3(@tiptap/pm@3.6.6))(@tiptap/pm@3.6.6)
axios:
specifier: 1.15.2
version: 1.15.2
specifier: 1.16.0
version: 1.16.0
compression:
specifier: 'catalog:'
version: 1.8.1
@@ -825,7 +827,7 @@ importers:
version: 14.0.0
ws:
specifier: 'catalog:'
version: 8.18.3
version: 8.20.1
y-prosemirror:
specifier: 'catalog:'
version: 1.3.7(prosemirror-model@1.25.3)(prosemirror-state@1.4.3)(prosemirror-view@1.40.0)(y-protocols@1.0.6(yjs@13.6.27))(yjs@13.6.27)
@@ -933,8 +935,8 @@ importers:
specifier: 'catalog:'
version: 7.13.1(react-router@7.12.0(react-dom@18.3.1(react@18.3.1))(react@18.3.1))(typescript@5.8.3)
axios:
specifier: 1.15.2
version: 1.15.2
specifier: 1.16.0
version: 1.16.0
clsx:
specifier: 'catalog:'
version: 2.1.1
@@ -1096,8 +1098,8 @@ importers:
specifier: 'catalog:'
version: 8.21.3(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
axios:
specifier: 1.15.2
version: 1.15.2
specifier: 1.16.0
version: 1.16.0
clsx:
specifier: 'catalog:'
version: 2.1.1
@@ -1664,8 +1666,8 @@ importers:
specifier: workspace:*
version: link:../types
axios:
specifier: 1.15.2
version: 1.15.2
specifier: 1.16.0
version: 1.16.0
file-type:
specifier: 'catalog:'
version: 21.3.3
@@ -5060,8 +5062,8 @@ packages:
resolution: {integrity: sha512-wvUjBtSGN7+7SjNpq/9M2Tg350UZD3q62IFZLbRAR1bSMlCo1ZaeW+BJ+D090e4hIIZLBcTDWe4Mh4jvUDajzQ==}
engines: {node: '>= 0.4'}
axios@1.15.2:
resolution: {integrity: sha512-wLrXxPtcrPTsNlJmKjkPnNPK2Ihe0hn0wGSaTEiHRPxwjvJwT3hKmXF4dpqxmPO9SoNb2FsYXj/xEo0gHN+D5A==}
axios@1.16.0:
resolution: {integrity: sha512-6hp5CwvTPlN2A31g5dxnwAX0orzM7pmCRDLnZSX772mv8WDqICwFjowHuPs04Mc8deIld1+ejhtaMn5vp6b+1w==}
babel-dead-code-elimination@1.0.10:
resolution: {integrity: sha512-DV5bdJZTzZ0zn0DC24v3jD7Mnidh6xhKa4GfKCbq3sfW8kaWhDdZjP3i81geA8T33tdYqWKw4D3fVv0CwEgKVA==}
@@ -5122,8 +5124,8 @@ packages:
resolution: {integrity: sha512-j//dBVuyacJbvW+tvZ9HuH03fZ46QcaKvvhZickZqtB271DxJ7SNRSNxrV/dZX0085m7hISRZWbzWlJvx/rHSg==}
engines: {node: '>=14.16'}
brace-expansion@5.0.5:
resolution: {integrity: sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==}
brace-expansion@5.0.6:
resolution: {integrity: sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==}
engines: {node: 18 || 20 || >=22}
braces@3.0.3:
@@ -7694,8 +7696,8 @@ packages:
pure-rand@6.1.0:
resolution: {integrity: sha512-bVWawvoZoBYpp6yIoQtQXHZjmz35RSVHnUOTefl8Vcjr8snTPY1wnpSPMWekcFwbxI6gtmT7rSYPFvz71ldiOA==}
qs@6.14.2:
resolution: {integrity: sha512-V/yCWTTF7VJ9hIh18Ugr2zhJMP01MY7c5kh4J870L7imm6/DIzBsNLTXzMwUA3yZ5b/KBqLx8Kp3uRvd7xSe3Q==}
qs@6.15.2:
resolution: {integrity: sha512-Rzq0KEyX/w/tEybncDgdkZrJgVUsUMk3xjh3t5bv3S1HTAtg+uOYt72+ZfwiQwKdysThkTBdL/rTi6HDmX9Ddw==}
engines: {node: '>=0.6'}
quansync@1.0.0:
@@ -8431,8 +8433,8 @@ packages:
peerDependencies:
'@tiptap/core': ^2.0.3
tmp@0.2.5:
resolution: {integrity: sha512-voyz6MApa1rQGUxT3E+BK7/ROe8itEx7vD8/HEvt4xwXucvQ5G5oeEiHkmHZJuBO21RpOf+YYm9MOivj709jow==}
tmp@0.2.6:
resolution: {integrity: sha512-5sJPdPjfI5Kx+qbrDesxkglRBxW//g7hCsqspEjwkewGvBMGIKMOTKzLt1hFVJzyadba3lDUN20O9qhvbQUSTA==}
engines: {node: '>=14.14'}
to-regex-range@5.0.1:
@@ -8922,8 +8924,8 @@ packages:
utf-8-validate:
optional: true
ws@8.18.3:
resolution: {integrity: sha512-PEIGCY5tSlUt50cqyMXfCzX+oOPqN0vuGqWzbcJ2xvnkzkq46oOpz7dQaTDBdfICb4N14+GARUDw2XV2N4tvzg==}
ws@8.20.1:
resolution: {integrity: sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==}
engines: {node: '>=10.0.0'}
peerDependencies:
bufferutil: ^4.0.1
@@ -9419,7 +9421,7 @@ snapshots:
'@parcel/watcher': 2.5.4
effect: 3.20.0
multipasta: 0.2.7
ws: 8.18.3
ws: 8.20.1
transitivePeerDependencies:
- bufferutil
- utf-8-validate
@@ -9434,7 +9436,7 @@ snapshots:
effect: 3.20.0
mime: 3.0.0
undici: 7.24.0
ws: 8.18.3
ws: 8.20.1
transitivePeerDependencies:
- bufferutil
- utf-8-validate
@@ -9675,7 +9677,7 @@ snapshots:
'@hocuspocus/common': 2.15.3
'@lifeomic/attempt': 3.1.0
lib0: 0.2.114
ws: 8.18.3
ws: 8.20.1
y-protocols: 1.0.6(yjs@13.6.27)
yjs: 13.6.27
transitivePeerDependencies:
@@ -9689,7 +9691,7 @@ snapshots:
kleur: 4.1.5
lib0: 0.2.114
uuid: 14.0.0
ws: 8.18.3
ws: 8.20.1
y-protocols: 1.0.6(yjs@13.6.27)
yjs: 13.6.27
transitivePeerDependencies:
@@ -12016,7 +12018,7 @@ snapshots:
dependencies:
possible-typed-array-names: 1.1.0
axios@1.15.2:
axios@1.16.0:
dependencies:
follow-redirects: 1.16.0
form-data: 4.0.5
@@ -12075,7 +12077,7 @@ snapshots:
http-errors: 2.0.0
iconv-lite: 0.4.24
on-finished: 2.4.1
qs: 6.14.2
qs: 6.15.2
raw-body: 2.5.2
type-is: 1.6.18
unpipe: 1.0.0
@@ -12095,7 +12097,7 @@ snapshots:
widest-line: 4.0.1
wrap-ansi: 8.1.0
brace-expansion@5.0.5:
brace-expansion@5.0.6:
dependencies:
balanced-match: 4.0.4
@@ -12876,7 +12878,7 @@ snapshots:
parseurl: 1.3.3
path-to-regexp: 0.1.13
proxy-addr: 2.0.7
qs: 6.14.2
qs: 6.15.2
range-parser: 1.2.1
safe-buffer: 5.2.1
send: 0.19.0
@@ -13576,7 +13578,7 @@ snapshots:
neo-async: 2.6.2
picocolors: 1.1.1
recast: 0.23.11
tmp: 0.2.5
tmp: 0.2.6
write-file-atomic: 5.0.1
transitivePeerDependencies:
- supports-color
@@ -14359,11 +14361,11 @@ snapshots:
minimatch@10.2.3:
dependencies:
brace-expansion: 5.0.5
brace-expansion: 5.0.6
minimatch@3.1.4:
dependencies:
brace-expansion: 5.0.5
brace-expansion: 5.0.6
minimist@1.2.8: {}
@@ -14964,7 +14966,7 @@ snapshots:
pure-rand@6.1.0: {}
qs@6.14.2:
qs@6.15.2:
dependencies:
side-channel: 1.1.0
@@ -15716,7 +15718,7 @@ snapshots:
esbuild-register: 3.6.0(esbuild@0.25.0)
recast: 0.23.11
semver: 7.7.4
ws: 8.18.3
ws: 8.20.1
optionalDependencies:
prettier: 3.7.4
transitivePeerDependencies:
@@ -15890,7 +15892,7 @@ snapshots:
markdown-it-task-lists: 2.1.1
prosemirror-markdown: 1.13.2
tmp@0.2.5: {}
tmp@0.2.6: {}
to-regex-range@5.0.1:
dependencies:
@@ -16119,7 +16121,7 @@ snapshots:
url@0.11.4:
dependencies:
punycode: 1.4.1
qs: 6.14.2
qs: 6.15.2
use-callback-ref@1.3.3(@types/react@18.3.11)(react@18.3.1):
dependencies:
@@ -16449,7 +16451,7 @@ snapshots:
ws@7.5.10: {}
ws@8.18.3: {}
ws@8.20.1: {}
y-indexeddb@9.0.12(yjs@13.6.27):
dependencies:
pnpm-workspace.yaml
+6 -4
View File
@@ -95,7 +95,7 @@ catalog:
"@vitest/coverage-v8": "^4.0.8"
"ast-types": "0.14.2"
"autoprefixer": "^10.4.19"
"axios": "1.15.2"
"axios": "1.16.0"
"buffer": "^6.0.3"
"chroma-js": "^3.2.0"
"class-variance-authority": "0.7.1"
@@ -187,7 +187,7 @@ catalog:
"vite-tsconfig-paths": "^5.1.4"
"vitest": "^4.0.8"
"winston": "^3.17.0"
"ws": "^8.18.3"
"ws": "8.20.1"
"y-indexeddb": "^9.0.12"
"y-prosemirror": "^1.3.7"
"y-protocols": "^1.0.6"
@@ -199,7 +199,7 @@ overrides:
mdast-util-to-hast: 13.2.1
valibot: 1.2.0
glob: 11.1.0
brace-expansion: 5.0.5
brace-expansion: 5.0.6
nanoid: 3.3.8
esbuild: 0.25.0
"@babel/helpers": 7.26.10
@@ -209,7 +209,7 @@ overrides:
"@types/express": 4.17.23
typescript: "catalog:"
vite: "catalog:"
qs: 6.14.2
qs: 6.15.2
diff: 5.2.2
webpack: 5.104.1
lodash-es: "catalog:"
@@ -233,6 +233,8 @@ overrides:
follow-redirects: 1.16.0
uuid: "catalog:"
"fast-uri@<3.1.2": ">=3.1.2"
tmp: 0.2.6
"ws@8": 8.20.1
allowBuilds:
"@parcel/watcher": true