Skip to content

fix(browser-tests): Pin axios to 1.13.5 to avoid compromised 1.14.1#20047

Merged
andreiborza merged 1 commit intodevelopfrom
ab/pin-axios
Mar 31, 2026
Merged

fix(browser-tests): Pin axios to 1.13.5 to avoid compromised 1.14.1#20047
andreiborza merged 1 commit intodevelopfrom
ab/pin-axios

Conversation

@andreiborza
Copy link
Copy Markdown
Member

@andreiborza andreiborza commented Mar 31, 2026

axios 1.14.1 contains a supply chain attack via the plain-crypto-js dependency.

This PR pins to 1.13.5 to prevent accidental upgrades.

See: https://x.com/feross/status/2038807290422370479

@andreiborza @claude
fix(browser-tests): Pin axios to 1.13.5 to avoid compromised 1.14.1
e774593 
axios 1.14.1 contains a supply chain attack via the plain-crypto-js
dependency. Pin to 1.13.5 to prevent accidental upgrades.

See: https://x.com/feross/status/2038807290422370479

Co-Authored-By: Claude claude-opus-4-6 <noreply@anthropic.com>
@andreiborza andreiborza requested a review from chargome March 31, 2026 05:14
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 31, 2026

Semver Impact of This PR

🟢 Patch (bug fixes)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

New Features ✨

Deps

  • Bump babel-loader from 10.0.0 to 10.1.1 by dependabot in #19997
  • Bump handlebars from 4.7.7 to 4.7.9 by dependabot in #20008

Nuxt

  • Add middleware instrumentation compatibility for Nuxt 5 by s1gr1d in #19968
  • Support parametrized SSR routes in Nuxt 5 by s1gr1d in #19977

Other

  • (browser) Replace element timing spans with metrics by logaretm in #19869
  • (bun) Add bunRuntimeMetricsIntegration by chargome in #19979
  • (core) Support embedding APIs in google-genai by nicohrubec in #19797
  • (node) Add nodeRuntimeMetricsIntegration by chargome in #19923
  • (node-core) Add OTLP integration for node-core/light by andreiborza in #19729
  • (solid) Add route parametrization for Solid Router by andreiborza in #20031

Bug Fixes 🐛

Ci

  • Update validate-pr action to remove draft enforcement by stephanie-anderson in #20037
  • Update validate-pr action to remove draft enforcement by stephanie-anderson in #20035

Node

  • Deduplicate sentry-trace and baggage headers on outgoing requests by Lms24 in #19960
  • Ensure startNewTrace propagates traceId in OTel environments by logaretm in #19963

Other

  • (browser-tests) Pin axios to 1.13.5 to avoid compromised 1.14.1 by andreiborza in #20047
  • (core) Guard nullish response in supabase PostgREST handler by antonis in #20033
  • (e2e) Pin @opentelemetry/api to 1.9.0 in ts3.8 test app by logaretm in #19992
  • (nuxt) Use virtual module for Nuxt pages data (SSR route parametrization) by s1gr1d in #20020
  • (opentelemetry) Convert seconds timestamps in span.end() to milliseconds by logaretm in #19958
  • (profiling) Disable profiling in worker threads by chargome in #20040
  • (react-router) Disable debug ID injection in Vite plugin to prevent double injection by isaacs in #19890

Documentation 📚

  • (release) Update publishing-a-release.md by nicohrubec in #19982

Internal Changes 🔧

Core

  • Introduce instrumented method registry for AI integrations by nicohrubec in #19981
  • Consolidate getOperationName into one shared utility by nicohrubec in #19971

Deps

  • Bump amqplib from 0.10.7 to 0.10.9 by dependabot in #20000
  • Bump actions/upload-artifact from 6 to 7 by dependabot in #19569
  • Bump srvx from 0.11.12 to 0.11.13 by dependabot in #20001
  • Bump @apollo/server from 5.4.0 to 5.5.0 by dependabot in #20007

Deps Dev

  • Remove esbuild override in astro-5-cf-workers E2E test by isaacs in #20024
  • Bump node-forge from 1.3.2 to 1.4.0 by dependabot in #20012
  • Bump yaml from 2.8.2 to 2.8.3 by dependabot in #19985

Other

  • (browser) Reduce browser package bundle size by HazAT in #19856
  • (browser-tests) Add waitForMetricRequest helper by logaretm in #20002
  • (deno) Expand Deno E2E test coverage by chargome in #19957
  • (e2e) Add e2e tests for nodeRuntimeMetricsIntegration by chargome in #19989

🤖 This preview updates automatically when you update the PR.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 31, 2026

size-limit report 📦

Path Size % Change Change
@sentry/browser 25.64 kB - -
@sentry/browser - with treeshaking flags 24.13 kB - -
@sentry/browser (incl. Tracing) 42.15 kB - -
@sentry/browser (incl. Tracing, Profiling) 46.76 kB - -
@sentry/browser (incl. Tracing, Replay) 80.94 kB - -
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags 70.56 kB - -
@sentry/browser (incl. Tracing, Replay with Canvas) 85.65 kB - -
@sentry/browser (incl. Tracing, Replay, Feedback) 97.91 kB - -
@sentry/browser (incl. Feedback) 42.42 kB - -
@sentry/browser (incl. sendFeedback) 30.3 kB - -
@sentry/browser (incl. FeedbackAsync) 35.28 kB - -
@sentry/browser (incl. Metrics) 26.95 kB - -
@sentry/browser (incl. Logs) 27.1 kB - -
@sentry/browser (incl. Metrics & Logs) 27.77 kB - -
@sentry/react 27.41 kB - -
@sentry/react (incl. Tracing) 44.48 kB - -
@sentry/vue 30.08 kB - -
@sentry/vue (incl. Tracing) 44.05 kB - -
@sentry/svelte 25.66 kB - -
CDN Bundle 28.31 kB - -
CDN Bundle (incl. Tracing) 43.1 kB - -
CDN Bundle (incl. Logs, Metrics) 29.68 kB - -
CDN Bundle (incl. Tracing, Logs, Metrics) 44.16 kB - -
CDN Bundle (incl. Replay, Logs, Metrics) 68.48 kB - -
CDN Bundle (incl. Tracing, Replay) 80 kB - -
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) 81.04 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) 85.54 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) 86.58 kB - -
CDN Bundle - uncompressed 82.66 kB - -
CDN Bundle (incl. Tracing) - uncompressed 127.81 kB - -
CDN Bundle (incl. Logs, Metrics) - uncompressed 86.81 kB - -
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed 131.22 kB - -
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed 209.79 kB - -
CDN Bundle (incl. Tracing, Replay) - uncompressed 244.68 kB - -
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed 248.08 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed 257.59 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed 260.98 kB - -
@sentry/nextjs (client) 46.89 kB - -
@sentry/sveltekit (client) 42.62 kB - -
@sentry/node-core 56.7 kB +0.03% +14 B 🔺
@sentry/node 173.85 kB +0.01% +9 B 🔺
@sentry/node - without tracing 96.77 kB +0.01% +5 B 🔺
@sentry/aws-serverless 113.76 kB +0.01% +9 B 🔺

View base workflow run

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 31, 2026

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.

Scenario Requests/s % of Baseline Prev. Requests/s Change %
GET Baseline 9,369 - 8,881 +5%
GET With Sentry 1,603 17% 1,526 +5%
GET With Sentry (error only) 6,004 64% 5,674 +6%
POST Baseline 1,203 - 1,145 +5%
POST With Sentry 558 46% 569 -2%
POST With Sentry (error only) 1,033 86% 1,026 +1%
MYSQL Baseline 3,174 - 3,187 -0%
MYSQL With Sentry 362 11% 349 +4%
MYSQL With Sentry (error only) 2,549 80% 2,484 +3%

View base workflow run

@andreiborza andreiborza enabled auto-merge (squash) March 31, 2026 06:15
@andreiborza andreiborza merged commit 8f08fcb into develop Mar 31, 2026
242 of 243 checks passed
@andreiborza andreiborza deleted the ab/pin-axios branch March 31, 2026 07:39
@sentry-release-bot sentry-release-bot bot mentioned this pull request Mar 31, 2026
Closed
46 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chargome chargome chargome approved these changes

@JPeer264 JPeer264 Awaiting requested review from JPeer264

@nicohrubec nicohrubec Awaiting requested review from nicohrubec

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@andreiborza @chargome