fix: bump npm deps to resolve Dependabot advisories (#9191)

* fix: bump npm deps to resolve Dependabot advisories Resolve 8 open Dependabot alerts (all npm, in pnpm-lock.yaml) by bumping the affected packages in pnpm-workspace.yaml and regenerating the lockfile: - axios 1.15.2 -> 1.16.0 (catalog): CVE-2026-44494/44492/44490/44489 - tmp -> 0.2.6 (override): CVE-2026-44705 path traversal - ws 8.x -> 8.20.1 (catalog + scoped override): CVE-2026-45736 - qs 6.14.2 -> 6.15.2 (override): CVE-2026-8723 DoS - brace-expansion 5.0.5 -> 5.0.6 (override): CVE-2026-45149 DoS brace-expansion and qs were pinned to their vulnerable versions in the overrides block, so the pins had to be bumped directly. ws is scoped to the 8.x major (ws@7.5.10 is below the vulnerable >=8.0.0 floor). All bumps are semver-compatible patch/minor upgrades; no source changes required. * fix: use named axios `create` import after 1.16.0 bump axios 1.16.0 newly exposes `create` as a named export, so oxlint's import/no-named-as-default-member rule now flags `axios.create(...)`. That added one warning to @plane/services (7 > its --max-warnings=6 baseline) and to apps/web and apps/live, failing check:lint — surfaced on this PR because the lockfile change busts Turbo's lint cache. Switch the three `axios.create(...)` call sites to a named `{ create }` import. `create` is a real value+type export in axios 1.16.0 (verified via tsc). isCancel/CancelToken are left as `axios.*`: CancelToken is only a type export (cannot be a value import under verbatimModuleSyntax) and both were already counted within the existing baselines. Verified locally: full `pnpm check:lint` (16/16) and `check:types` (15/15) pass.
2026-06-14 03:30:00 +00:00 · 2026-06-01 18:37:35 +05:30
parent e388cb9125
commit 7ec8d4990f
5 changed files with 56 additions and 52 deletions
@@ -5,7 +5,7 @@
 */
 import type { AxiosInstance } from "axios";
-import axios from "axios";
+import { create } from "axios";
 import { env } from "@/env";
 import { AppError } from "@/lib/errors";
@@ -16,7 +16,7 @@ export abstract class APIService {
  constructor(baseURL?: string) {
    this.baseURL = baseURL || env.API_BASE_URL;
-    this.axiosInstance = axios.create({
+    this.axiosInstance = create({
      baseURL: this.baseURL,
      withCredentials: true,
      timeout: 20000,
@@ -6,7 +6,7 @@
 /* eslint-disable @typescript-eslint/no-explicit-any */
 import type { AxiosInstance, AxiosRequestConfig } from "axios";
-import axios from "axios";
+import { create } from "axios";
 export abstract class APIService {
  protected baseURL: string;
@@ -14,7 +14,7 @@ export abstract class APIService {
  constructor(baseURL: string) {
    this.baseURL = baseURL;
-    this.axiosInstance = axios.create({
+    this.axiosInstance = create({
      baseURL,
      withCredentials: true,
    });
@@ -5,7 +5,7 @@
 */
 import type { AxiosInstance, AxiosRequestConfig } from "axios";
-import axios from "axios";
+import { create } from "axios";
 /**
 * Abstract base class for making HTTP requests using axios
@@ -21,7 +21,7 @@ export abstract class APIService {
   */
  constructor(baseURL: string) {
    this.baseURL = baseURL;
-    this.axiosInstance = axios.create({
+    this.axiosInstance = create({
      baseURL,
      withCredentials: true,
    });
@@ -529,8 +529,8 @@ catalogs:
      specifier: ^3.17.0
      version: 3.17.0
    ws:
-      specifier: ^8.18.3
+      specifier: 8.20.1
-      version: 8.18.3
+      version: 8.20.1
    y-indexeddb:
      specifier: ^9.0.12
      version: 9.0.12
@@ -552,7 +552,7 @@ overrides:
  mdast-util-to-hast: 13.2.1
  valibot: 1.2.0
  glob: 11.1.0
-  brace-expansion: 5.0.5
+  brace-expansion: 5.0.6
  nanoid: 3.3.8
  esbuild: 0.25.0
  '@babel/helpers': 7.26.10
@@ -562,7 +562,7 @@ overrides:
  '@types/express': 4.17.23
  typescript: 5.8.3
  vite: 7.3.2
-  qs: 6.14.2
+  qs: 6.15.2
  diff: 5.2.2
  webpack: 5.104.1
  lodash-es: 4.18.1
@@ -582,10 +582,12 @@ overrides:
  path-to-regexp: 0.1.13
  defu: 6.1.5
  postcss: 8.5.10
-  axios: 1.15.2
+  axios: 1.16.0
  follow-redirects: 1.16.0
  uuid: 14.0.0
  fast-uri@<3.1.2: '>=3.1.2'
  tmp: 0.2.6
  ws@8: 8.20.1
 importers:
@@ -655,8 +657,8 @@ importers:
        specifier: 'catalog:'
        version: 3.13.12
      axios:
-        specifier: 1.15.2
+        specifier: 1.16.0
-        version: 1.15.2
+        version: 1.16.0
      isbot:
        specifier: 'catalog:'
        version: 5.1.31
@@ -788,8 +790,8 @@ importers:
        specifier: 'catalog:'
        version: 2.26.2(@tiptap/core@2.26.3(@tiptap/pm@3.6.6))(@tiptap/pm@3.6.6)
      axios:
-        specifier: 1.15.2
+        specifier: 1.16.0
-        version: 1.15.2
+        version: 1.16.0
      compression:
        specifier: 'catalog:'
        version: 1.8.1
@@ -825,7 +827,7 @@ importers:
        version: 14.0.0
      ws:
        specifier: 'catalog:'
-        version: 8.18.3
+        version: 8.20.1
      y-prosemirror:
        specifier: 'catalog:'
        version: 1.3.7(prosemirror-model@1.25.3)(prosemirror-state@1.4.3)(prosemirror-view@1.40.0)(y-protocols@1.0.6(yjs@13.6.27))(yjs@13.6.27)
@@ -933,8 +935,8 @@ importers:
        specifier: 'catalog:'
        version: 7.13.1(react-router@7.12.0(react-dom@18.3.1(react@18.3.1))(react@18.3.1))(typescript@5.8.3)
      axios:
-        specifier: 1.15.2
+        specifier: 1.16.0
-        version: 1.15.2
+        version: 1.16.0
      clsx:
        specifier: 'catalog:'
        version: 2.1.1
@@ -1096,8 +1098,8 @@ importers:
        specifier: 'catalog:'
        version: 8.21.3(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
      axios:
-        specifier: 1.15.2
+        specifier: 1.16.0
-        version: 1.15.2
+        version: 1.16.0
      clsx:
        specifier: 'catalog:'
        version: 2.1.1
@@ -1664,8 +1666,8 @@ importers:
        specifier: workspace:*
        version: link:../types
      axios:
-        specifier: 1.15.2
+        specifier: 1.16.0
-        version: 1.15.2
+        version: 1.16.0
      file-type:
        specifier: 'catalog:'
        version: 21.3.3
@@ -5060,8 +5062,8 @@ packages:
    resolution: {integrity: sha512-wvUjBtSGN7+7SjNpq/9M2Tg350UZD3q62IFZLbRAR1bSMlCo1ZaeW+BJ+D090e4hIIZLBcTDWe4Mh4jvUDajzQ==}
    engines: {node: '>= 0.4'}
-  axios@1.15.2:
+  axios@1.16.0:
-    resolution: {integrity: sha512-wLrXxPtcrPTsNlJmKjkPnNPK2Ihe0hn0wGSaTEiHRPxwjvJwT3hKmXF4dpqxmPO9SoNb2FsYXj/xEo0gHN+D5A==}
+    resolution: {integrity: sha512-6hp5CwvTPlN2A31g5dxnwAX0orzM7pmCRDLnZSX772mv8WDqICwFjowHuPs04Mc8deIld1+ejhtaMn5vp6b+1w==}
  babel-dead-code-elimination@1.0.10:
    resolution: {integrity: sha512-DV5bdJZTzZ0zn0DC24v3jD7Mnidh6xhKa4GfKCbq3sfW8kaWhDdZjP3i81geA8T33tdYqWKw4D3fVv0CwEgKVA==}
@@ -5122,8 +5124,8 @@ packages:
    resolution: {integrity: sha512-j//dBVuyacJbvW+tvZ9HuH03fZ46QcaKvvhZickZqtB271DxJ7SNRSNxrV/dZX0085m7hISRZWbzWlJvx/rHSg==}
    engines: {node: '>=14.16'}
-  brace-expansion@5.0.5:
+  brace-expansion@5.0.6:
-    resolution: {integrity: sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==}
+    resolution: {integrity: sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==}
    engines: {node: 18 || 20 || >=22}
  braces@3.0.3:
@@ -7694,8 +7696,8 @@ packages:
  pure-rand@6.1.0:
    resolution: {integrity: sha512-bVWawvoZoBYpp6yIoQtQXHZjmz35RSVHnUOTefl8Vcjr8snTPY1wnpSPMWekcFwbxI6gtmT7rSYPFvz71ldiOA==}
-  qs@6.14.2:
+  qs@6.15.2:
-    resolution: {integrity: sha512-V/yCWTTF7VJ9hIh18Ugr2zhJMP01MY7c5kh4J870L7imm6/DIzBsNLTXzMwUA3yZ5b/KBqLx8Kp3uRvd7xSe3Q==}
+    resolution: {integrity: sha512-Rzq0KEyX/w/tEybncDgdkZrJgVUsUMk3xjh3t5bv3S1HTAtg+uOYt72+ZfwiQwKdysThkTBdL/rTi6HDmX9Ddw==}
    engines: {node: '>=0.6'}
  quansync@1.0.0:
@@ -8431,8 +8433,8 @@ packages:
    peerDependencies:
      '@tiptap/core': ^2.0.3
-  tmp@0.2.5:
+  tmp@0.2.6:
-    resolution: {integrity: sha512-voyz6MApa1rQGUxT3E+BK7/ROe8itEx7vD8/HEvt4xwXucvQ5G5oeEiHkmHZJuBO21RpOf+YYm9MOivj709jow==}
+    resolution: {integrity: sha512-5sJPdPjfI5Kx+qbrDesxkglRBxW//g7hCsqspEjwkewGvBMGIKMOTKzLt1hFVJzyadba3lDUN20O9qhvbQUSTA==}
    engines: {node: '>=14.14'}
  to-regex-range@5.0.1:
@@ -8922,8 +8924,8 @@ packages:
      utf-8-validate:
        optional: true
-  ws@8.18.3:
+  ws@8.20.1:
-    resolution: {integrity: sha512-PEIGCY5tSlUt50cqyMXfCzX+oOPqN0vuGqWzbcJ2xvnkzkq46oOpz7dQaTDBdfICb4N14+GARUDw2XV2N4tvzg==}
+    resolution: {integrity: sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==}
    engines: {node: '>=10.0.0'}
    peerDependencies:
      bufferutil: ^4.0.1
@@ -9419,7 +9421,7 @@ snapshots:
      '@parcel/watcher': 2.5.4
      effect: 3.20.0
      multipasta: 0.2.7
-      ws: 8.18.3
+      ws: 8.20.1
    transitivePeerDependencies:
      - bufferutil
      - utf-8-validate
@@ -9434,7 +9436,7 @@ snapshots:
      effect: 3.20.0
      mime: 3.0.0
      undici: 7.24.0
-      ws: 8.18.3
+      ws: 8.20.1
    transitivePeerDependencies:
      - bufferutil
      - utf-8-validate
@@ -9675,7 +9677,7 @@ snapshots:
      '@hocuspocus/common': 2.15.3
      '@lifeomic/attempt': 3.1.0
      lib0: 0.2.114
-      ws: 8.18.3
+      ws: 8.20.1
      y-protocols: 1.0.6(yjs@13.6.27)
      yjs: 13.6.27
    transitivePeerDependencies:
@@ -9689,7 +9691,7 @@ snapshots:
      kleur: 4.1.5
      lib0: 0.2.114
      uuid: 14.0.0
-      ws: 8.18.3
+      ws: 8.20.1
      y-protocols: 1.0.6(yjs@13.6.27)
      yjs: 13.6.27
    transitivePeerDependencies:
@@ -12016,7 +12018,7 @@ snapshots:
    dependencies:
      possible-typed-array-names: 1.1.0
-  axios@1.15.2:
+  axios@1.16.0:
    dependencies:
      follow-redirects: 1.16.0
      form-data: 4.0.5
@@ -12075,7 +12077,7 @@ snapshots:
      http-errors: 2.0.0
      iconv-lite: 0.4.24
      on-finished: 2.4.1
-      qs: 6.14.2
+      qs: 6.15.2
      raw-body: 2.5.2
      type-is: 1.6.18
      unpipe: 1.0.0
@@ -12095,7 +12097,7 @@ snapshots:
      widest-line: 4.0.1
      wrap-ansi: 8.1.0
-  brace-expansion@5.0.5:
+  brace-expansion@5.0.6:
    dependencies:
      balanced-match: 4.0.4
@@ -12876,7 +12878,7 @@ snapshots:
      parseurl: 1.3.3
      path-to-regexp: 0.1.13
      proxy-addr: 2.0.7
-      qs: 6.14.2
+      qs: 6.15.2
      range-parser: 1.2.1
      safe-buffer: 5.2.1
      send: 0.19.0
@@ -13576,7 +13578,7 @@ snapshots:
      neo-async: 2.6.2
      picocolors: 1.1.1
      recast: 0.23.11
-      tmp: 0.2.5
+      tmp: 0.2.6
      write-file-atomic: 5.0.1
    transitivePeerDependencies:
      - supports-color
@@ -14359,11 +14361,11 @@ snapshots:
  minimatch@10.2.3:
    dependencies:
-      brace-expansion: 5.0.5
+      brace-expansion: 5.0.6
  minimatch@3.1.4:
    dependencies:
-      brace-expansion: 5.0.5
+      brace-expansion: 5.0.6
  minimist@1.2.8: {}
@@ -14964,7 +14966,7 @@ snapshots:
  pure-rand@6.1.0: {}
-  qs@6.14.2:
+  qs@6.15.2:
    dependencies:
      side-channel: 1.1.0
@@ -15716,7 +15718,7 @@ snapshots:
      esbuild-register: 3.6.0(esbuild@0.25.0)
      recast: 0.23.11
      semver: 7.7.4
-      ws: 8.18.3
+      ws: 8.20.1
    optionalDependencies:
      prettier: 3.7.4
    transitivePeerDependencies:
@@ -15890,7 +15892,7 @@ snapshots:
      markdown-it-task-lists: 2.1.1
      prosemirror-markdown: 1.13.2
-  tmp@0.2.5: {}
+  tmp@0.2.6: {}
  to-regex-range@5.0.1:
    dependencies:
@@ -16119,7 +16121,7 @@ snapshots:
  url@0.11.4:
    dependencies:
      punycode: 1.4.1
-      qs: 6.14.2
+      qs: 6.15.2
  use-callback-ref@1.3.3(@types/react@18.3.11)(react@18.3.1):
    dependencies:
@@ -16449,7 +16451,7 @@ snapshots:
  ws@7.5.10: {}
-  ws@8.18.3: {}
+  ws@8.20.1: {}
  y-indexeddb@9.0.12(yjs@13.6.27):
    dependencies:
@@ -95,7 +95,7 @@ catalog:
  "@vitest/coverage-v8": "^4.0.8"
  "ast-types": "0.14.2"
  "autoprefixer": "^10.4.19"
-  "axios": "1.15.2"
+  "axios": "1.16.0"
  "buffer": "^6.0.3"
  "chroma-js": "^3.2.0"
  "class-variance-authority": "0.7.1"
@@ -187,7 +187,7 @@ catalog:
  "vite-tsconfig-paths": "^5.1.4"
  "vitest": "^4.0.8"
  "winston": "^3.17.0"
-  "ws": "^8.18.3"
+  "ws": "8.20.1"
  "y-indexeddb": "^9.0.12"
  "y-prosemirror": "^1.3.7"
  "y-protocols": "^1.0.6"
@@ -199,7 +199,7 @@ overrides:
  mdast-util-to-hast: 13.2.1
  valibot: 1.2.0
  glob: 11.1.0
-  brace-expansion: 5.0.5
+  brace-expansion: 5.0.6
  nanoid: 3.3.8
  esbuild: 0.25.0
  "@babel/helpers": 7.26.10
@@ -209,7 +209,7 @@ overrides:
  "@types/express": 4.17.23
  typescript: "catalog:"
  vite: "catalog:"
-  qs: 6.14.2
+  qs: 6.15.2
  diff: 5.2.2
  webpack: 5.104.1
  lodash-es: "catalog:"
@@ -233,6 +233,8 @@ overrides:
  follow-redirects: 1.16.0
  uuid: "catalog:"
  "fast-uri@<3.1.2": ">=3.1.2"
  tmp: 0.2.6
  "ws@8": 8.20.1
 allowBuilds:
  "@parcel/watcher": true