Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix(core): upgrade axios to 1.12.0 to address CVE-2025-58754 #32712

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(core): upgrade axios to 1.12.0 to address CVE-2025-58754 #32712

wants to merge 1 commit into from
+88 −64

Conversation

terrymun
Copy link
Contributor

@terrymun terrymun commented Sep 12, 2025
edited
Loading

Current Behavior

Nx is currently using a vulnerable version of axios (<1.12.0) which has a reported high-level vulnerability CVE-2025-58754. This is being flagged by GitHub Advanced Security on a Nx-powered monorepo:

Screenshot 2025-09-12 at 09 42 56

Expected Behavior

Nx should be using a patched version of axios (≥1.12.0) that addresses said vulnerability.

Related Issue(s)

Fixes #

@terrymun terrymun requested a review from a team as a code owner September 12, 2025 07:41
@terrymun terrymun requested a review from AgentEnder September 12, 2025 07:41
@vercel Vercel
Copy link

vercel bot commented Sep 12, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Updated (UTC)
nx-dev Ready Ready Preview Sep 12, 2025 9:46pm

@terrymun terrymun changed the title chore: upgrade axios to 1.12.0 to address CVE-2025-58754 fix: upgrade axios to 1.12.0 to address CVE-2025-58754 Sep 12, 2025
@nx-cloud Nx Cloud
Copy link
Contributor

nx-cloud bot commented Sep 12, 2025
edited
Loading

View your CI Pipeline Execution ↗ for commit 733d322

Command Status Duration Result
nx affected --targets=lint,test,build,e2e,e2e-c... ❌ Failed 11m 8s View ↗
nx run-many -t check-imports check-commit check... ✅ Succeeded 2m 11s View ↗
nx-cloud record -- nx-cloud conformance:check ✅ Succeeded 2s View ↗
nx-cloud record -- nx format:check ✅ Succeeded 5s View ↗
nx-cloud record -- nx sync:check ✅ Succeeded 5s View ↗
nx documentation ✅ Succeeded 3m 44s View ↗

☁️ Nx Cloud last updated this comment at 2025-09-13 09:04:23 UTC

JamesHenry
JamesHenry approved these changes Sep 12, 2025
View reviewed changes
Copy link
Collaborator

@JamesHenry JamesHenry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Naturally a DOS vulnerability is not relevant to Nx at all but we can get this merged to help with noise on your end.

@JamesHenry JamesHenry changed the title fix: upgrade axios to 1.12.0 to address CVE-2025-58754 fix(core): upgrade axios to 1.12.0 to address CVE-2025-58754 Sep 12, 2025
@terrymun
Copy link
Contributor Author

@JamesHenry I totally agree. Just feel like it's always a good idea to address security advisories even though Nx doesn't have a public-facing API so a DOS attack vector is not relevant here.

@JamesHenry
Copy link
Collaborator

@terrymun Sorry you need to redo your commit to match the required conventions (you can see what I did to the PR title). We have a precommit hook to catch this so you must have bypassed it?

nx-cloud[bot]
nx-cloud bot reviewed Sep 12, 2025
View reviewed changes
Copy link
Contributor

@nx-cloud nx-cloud bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nx Cloud is proposing a fix for your failed CI:

chore(repo): upgrade axios to 1.12.0 to address CVE-2025-58754

We verified this fix by re-running @nx/nx-source:check-commit.

Suggested Fix changes 
diff --git a/package.json b/package.json
index 8be780920a1..da86c04ccd0 100644
--- a/package.json
+++ b/package.json
@@ -367,7 +367,7 @@
     "@types/three": "^0.166.0",
     "@yarnpkg/lockfile": "^1.1.0",
     "@yarnpkg/parsers": "3.0.2",
-    "axios": "^1.8.3",
+    "axios": "^1.12.0",
     "classnames": "^2.5.1",
     "cliui": "^8.0.1",
     "clsx": "^2.0.0",
diff --git a/packages/create-nx-workspace/package.json b/packages/create-nx-workspace/package.json
index 149c7492679..9888fff5f3d 100644
--- a/packages/create-nx-workspace/package.json
+++ b/packages/create-nx-workspace/package.json
@@ -30,14 +30,14 @@
   },
   "homepage": "https://nx.dev",
   "dependencies": {
+    "axios": "^1.12.0",
     "chalk": "^4.1.0",
     "enquirer": "~2.3.6",
     "flat": "^5.0.2",
     "ora": "5.3.0",
     "tmp": "~0.2.1",
     "tslib": "^2.3.0",
-    "yargs": "^17.6.2",
-    "axios": "^1.8.3"
+    "yargs": "^17.6.2"
   },
   "publishConfig": {
     "access": "public"
diff --git a/packages/nx/package.json b/packages/nx/package.json
index d56a59f2522..c5fb5185786 100644
--- a/packages/nx/package.json
+++ b/packages/nx/package.json
@@ -41,7 +41,7 @@
     "@yarnpkg/lockfile": "^1.1.0",
     "@yarnpkg/parsers": "3.0.2",
     "@zkochan/js-yaml": "0.0.7",
-    "axios": "^1.8.3",
+    "axios": "^1.12.0",
     "chalk": "^4.1.0",
     "cli-cursor": "3.1.0",
     "cli-spinners": "2.6.1",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 76d8e6baadb..a554c13f431 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -82,8 +82,8 @@
         specifier: 3.0.2
         version: 3.0.2
       axios:
-        specifier: ^1.8.3
-        version: 1.10.0
+        specifier: ^1.12.0
+        version: 1.12.0
       classnames:
         specifier: ^2.5.1
         version: 2.5.1
@@ -2593,8 +2593,8 @@
   packages/create-nx-workspace:
     dependencies:
       axios:
-        specifier: ^1.8.3
-        version: 1.10.0
+        specifier: ^1.12.0
+        version: 1.12.0
       chalk:
         specifier: ^4.1.0
         version: 4.1.2
@@ -3252,8 +3252,8 @@
         specifier: 0.0.7
         version: 0.0.7
       axios:
-        specifier: ^1.8.3
-        version: 1.10.0
+        specifier: ^1.12.0
+        version: 1.12.0
       chalk:
         specifier: ^4.1.0
         version: 4.1.2
@@ -12730,8 +12730,8 @@
     peerDependencies:
       axios: 0.x || 1.x
 
-  [email protected]:
-    resolution: {integrity: sha512-/1xYAC4MP/HEG+3duIhFr4ZQXR4sQXOIe+o6sdqzeykGLx6Upp/1p8MHqhINOvGeP7xyNHe7tsiJByc4SSVUxw==}
+  [email protected]:
+    resolution: {integrity: sha512-oXTDccv8PcfjZmPGlWsPSwtOJCZ/b6W5jAMCNcfwJbCzDckwG0jrYJFaWH1yvivfCXjVzV/SPDEhMB3Q+DSurg==}
 
   [email protected]:
     resolution: {integrity: sha512-qIj0G9wZbMGNLjLmg1PT6v2mE9AH2zlnADJD/2tC6E00hgmhUOfEB6greHPAfLRSufHqROIUTkw6E+M3lH0PTQ==}
@@ -30480,7 +30480,7 @@
       '@module-federation/third-party-dts-extractor': 0.18.0
       adm-zip: 0.5.16
       ansi-colors: 4.1.3
-      axios: 1.10.0
+      axios: 1.12.0
       chalk: 3.0.0
       fs-extra: 9.1.0
       isomorphic-ws: 5.0.0([email protected])
@@ -32416,8 +32416,8 @@
   '@nx/[email protected]':
     dependencies:
       '@napi-rs/wasm-runtime': 0.2.4
-      axios: 1.10.0
-      axios-retry: 4.5.0([email protected])
+      axios: 1.12.0
+      axios-retry: 4.5.0([email protected])
       chalk: 4.1.2
       enquirer: 2.4.1
       ora: 5.4.1
@@ -37406,12 +37406,12 @@
 
   [email protected]: {}
 
-  [email protected]([email protected]):
+  [email protected]([email protected]):
     dependencies:
-      axios: 1.10.0
+      axios: 1.12.0
       is-retry-allowed: 2.2.0
 
-  [email protected]:
+  [email protected]:
     dependencies:
       follow-redirects: 1.15.9([email protected])
       form-data: 4.0.4
@@ -46699,7 +46699,7 @@
       '@yarnpkg/lockfile': 1.1.0
       '@yarnpkg/parsers': 3.0.2
       '@zkochan/js-yaml': 0.0.7
-      axios: 1.10.0
+      axios: 1.12.0
       chalk: 4.1.2
       cli-cursor: 3.1.0
       cli-spinners: 2.6.1

Apply fix via Nx Cloud  Reject fix via Nx Cloud  Nx CloudView interactive diff and more actions ↗


⚙️ An Nx Cloud workspace admin can disable these reviews in workspace settings.

@terrymun
Copy link
Contributor Author

terrymun commented Sep 12, 2025
edited
Loading

@JamesHenry Whoops, my bad! I pushed with --no-verify because of a Git LFS warning that I couldn't get rid of (even after deleting the pre-push hook locally).

@FrozenPandaz
Copy link
Collaborator

Changes look good to me.. the CI failures look unrelated other than the commit message? Hopefully it passes once you update your commit 🤞

@terrymun terrymun force-pushed the chore/upgrade-axios-to-1-12-0 branch from b331afb to 67ab37e Compare September 12, 2025 17:22
@terrymun
Copy link
Contributor Author

@FrozenPandaz @JamesHenry Thanks for the tips. I've fixed the incorrect commit message and pushed. Hope it will pass CI checks now :)

@terrymun terrymun force-pushed the chore/upgrade-axios-to-1-12-0 branch from 67ab37e to 733d322 Compare September 12, 2025 21:33
@JamesHenry
Copy link
Collaborator

JamesHenry commented Sep 13, 2025
edited
Loading

@terrymun If you hit some flake again better to ping us to rerun rather than force push up, because the workflows won't run without our approval anyway

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nx-cloud nx-cloud[bot] nx-cloud[bot] left review comments

@JamesHenry JamesHenry JamesHenry approved these changes

@FrozenPandaz FrozenPandaz FrozenPandaz approved these changes

@AgentEnder AgentEnder Awaiting requested review from AgentEnder AgentEnder is a code owner automatically assigned from nrwl/nx-core-reviewers

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@terrymun @JamesHenry @FrozenPandaz