Elgato_dark/Archon
1
0
Fork 0
mirror of https://github.com/coleam00/Archon synced 2026-04-21 13:37:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
Archon/package.json
Rasmus Widing 6b4a4510b1 fix(deps): override transitive axios to ^1.15.0 for CVE-2025-62718 
axios <1.15.0 can be coerced to bypass NO_PROXY rules via hostname
normalization, enabling SSRF in the right network shape. Archon pulls
axios transitively through @slack/bolt (^1.12.0) and @slack/web-api
(^1.13.5); before this change bun.lock resolved axios@1.13.6 — within
the vulnerable range.

Adding "axios": "^1.15.0" to the root package.json overrides bumps the
transitive resolution to axios@1.15.1 (latest compatible 1.x). Both
Slack range specs accept it without API surface changes — no downstream
code touches axios directly.

Supersedes #1153. Credits @stefans71 for identifying and reporting the
vulnerability; their PR was stale on the lockfile (0.3.5 → 0.3.6 drift
on dev), so this is a fresh one-line re-do on current dev.

Closes #1053.

Co-authored-by: Stefans71 <stefans71@users.noreply.github.com>
2026-04-21 12:46:22 +03:00

57 lines
1.9 KiB
JSON
Raw Blame History

{
"name": "archon",
"version": "0.3.6",
"private": true,
"workspaces": [
"packages/*"
],
"type": "module",
"scripts": {
"cli": "bun --cwd packages/cli src/cli.ts",
"dev": "bun --filter '*' dev",
"dev:server": "bun --filter @archon/server dev",
"start": "bun --filter @archon/server start",
"build": "bun --filter '*' build",
"build:binaries": "bash scripts/build-binaries.sh",
"build:checksums": "bash scripts/checksums.sh",
"generate:bundled": "bun run scripts/generate-bundled-defaults.ts",
"check:bundled": "bun run scripts/generate-bundled-defaults.ts --check",
"test": "bun --filter '*' --parallel test",
"test:watch": "bun --filter @archon/server test:watch",
"type-check": "bun --filter '*' type-check && bun x tsc --noEmit -p scripts/tsconfig.json",
"lint": "bun x eslint . --cache",
"lint:fix": "bun x eslint . --cache --fix",
"format": "bun x prettier --write .",
"format:check": "bun x prettier --check .",
"dev:web": "bun --filter @archon/web dev",
"build:web": "bun --filter @archon/web build",
"dev:docs": "bun --filter @archon/docs-web dev",
"build:docs": "bun --filter @archon/docs-web build",
"validate": "bun run check:bundled && bun run type-check && bun run lint --max-warnings 0 && bun run format:check && bun run test",
"prepare": "husky",
"setup-auth": "bun --filter @archon/server setup-auth"
},
"devDependencies": {
"@eslint/js": "^9.39.1",
"@types/bun": "latest",
"bun-types": "^1.3.5",
"eslint": "^9.39.1",
"eslint-config-prettier": "10.1.8",
"husky": "^9.1.7",
"lint-staged": "^15.2.0",
"prettier": "^3.7.4",
"typescript": "^5.3.0",
"pino-pretty": "^13",
"typescript-eslint": "^8.48.0"
},
"engines": {
"bun": "^1.3.0"
},
"overrides": {
"test-exclude": "^7.0.1",
"axios": "^1.15.0"
},
"dependencies": {
"@anthropic-ai/claude-agent-sdk": "^0.2.74"
}
}
Reference in a new issue View git blame Copy permalink