chore(SEC-10458): upgrade axios to 1.15.2

[phantom-autopilot]

Summary

Resolves Linear ticket SEC-10458 — upgrade axios to 1.15.2 to remediate GHSA-q8qp-cvcw-x6jj (CVE-2026-42264, HIGH).

Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking. Vulnerable range: >=1.0.0, <1.15.2.

Changes

• package.json: bump direct dep axios from ^1.4.0 → ^1.15.2.
• package.json: add axios: "1.15.2" to resolutions to override the exact 1.2.2 pin in etherscan-api@10.3.0. The latest published etherscan-api is 10.3.0 and still pins axios: "1.2.2", so a resolutions override is the only viable path.
• yarn.lock: regenerated. The lockfile now resolves a single axios@1.15.2 — the prior 1.2.2 and 1.7.7 entries are removed.

Compatibility check

Direct dependencies that reference axios:

• axios (direct) — bumped to ^1.15.2 ✅
• etherscan-api@10.3.0 — pins axios: 1.2.2 exactly. No newer release exists; resolved via resolutions ✅
• wait-on@^7.0.1 — declares axios: ^1.6.1, satisfied by 1.15.2 ✅

Test plan

• CI runs yarn install — no resolution failures.
• yarn lint passes (no application code changes).
• No code calls into changed axios behavior — all references go through wait-on / etherscan-api / direct usage; axios 1.x is API-stable.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated dependency to a newer stable version to ensure compatibility and security across the dependency tree.

[phantom-autopilot]

PR opened by agent

#36

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR upgrades the axios dependency from ^1.4.0 to ^1.15.2 and adds an explicit resolution pin to version 1.15.2 to enforce consistent dependency resolution across the project's dependency tree.

Changes

Dependency and Resolution Update

Layer / File(s)	Summary
Dependency Version package.json	axios dependency updated from ^1.4.0 to ^1.15.2 in dependencies.
Resolution Lock package.json	Explicit resolution added: axios: "1.15.2" to pin the exact version across the dependency tree.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: upgrading axios to version 1.15.2 for security remediation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch autopilot2/sec-10458_high-upgrade-axios-in-github-com-phantom-synpress-to-1-15-2

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[phantom-autopilot]

Pushed commit unknown to dev

Commit, push, open draft PR

---

PR opened by agent

PR: #36 (draft, base dev). The etherscan-api@10.3.0 exact pin on axios@1.2.2 had no upstream-loosened release available, so a resolutions override was the only viable path — flagged that explicitly in the PR body and Linear comment.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​axios@​1.2.2 ⏵ 1.15.2	-9	+31		+1

View full report

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

package.json (1)

108-116: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add axios to overrides to enforce the security fix across all package manager paths.

Line 113 pins axios to 1.15.2 (SEC-10458 security fix) via Yarn resolutions, but the project also runs pnpm (lines 37, 40–46, Dockerfile, pnpm-lock.yaml). The resolutions field only applies to Yarn; pnpm respects overrides. Without axios in overrides, pnpm-based installs may resolve a different axios version, bypassing the security patch.

Suggested patch

  "overrides": {
+    "axios": "1.15.2",
     "lodash@<4.17.20": "4.17.20"
  },

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` around lines 108 - 116, The package.json currently pins axios
in "resolutions" but not in "overrides", so pnpm installs may not get the
security-pinned axios; add an "axios": "1.15.2" entry to the existing
"overrides" object (alongside the existing lodash override) so both Yarn
(resolutions) and pnpm (overrides) enforce the same axios version; ensure the
version string matches the resolutions entry and valid JSON object syntax in the
"overrides" block.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@package.json`:
- Around line 108-116: The package.json currently pins axios in "resolutions"
but not in "overrides", so pnpm installs may not get the security-pinned axios;
add an "axios": "1.15.2" entry to the existing "overrides" object (alongside the
existing lodash override) so both Yarn (resolutions) and pnpm (overrides)
enforce the same axios version; ensure the version string matches the
resolutions entry and valid JSON object syntax in the "overrides" block.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d252877e-cc1a-499f-98e8-547703d6db4e

📥 Commits

Reviewing files that changed from the base of the PR and between ff82e55 and 94311f2.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• package.json