[PR #7343] [MERGED] [AI] Pin axios to 1.14.0 to avoid vulnerable 1.14.1 #48915

New Issue

GiteaMirror · 2026-04-26T10:47:23-05:00

GiteaMirror commented

2026-04-26 10:47:23 -05:00

📋 Pull Request Information

Original PR: https://github.com/actualbudget/actual/pull/7343
Author: @MatissJanis
Created: 3/31/2026
Status: ✅ Merged
Merged: 3/31/2026
Merged by: @MatissJanis

Base: master ← Head: pin-axios-1.14.0

📝 Commits (2)

791b035 [AI] Pin axios to 1.14.0 to avoid vulnerable 1.14.1
95dcc85 Add release notes for PR #7343

📊 Changes

3 files changed (+8 additions, -1 deletions)

View changed files

📝 package.json (+1 -0)
➕ upcoming-release-notes/7343.md (+6 -0)
📝 yarn.lock (+1 -1)

📄 Description

Pin axios to exactly 1.14.0 via yarn resolutions to prevent upgrading to 1.14.1, which has a critical vulnerability. axios is a transitive dependency (via nordigen-node), so the resolution ensures it stays pinned regardless of semver range

Bundle Stats

Bundle	Files count	Total bundle size	% Changed
desktop-client	27	12.09 MB → 12.09 MB (+85 B)	+0.00%
loot-core	1	4.83 MB	0%
api	4	4.06 MB	0%
cli	1	7.88 MB	0%

View detailed bundle stats

desktop-client

Total

Files count	Total bundle size	% Changed
27	12.09 MB → 12.09 MB (+85 B)	+0.00%

Changeset

File	Δ	Size
`locale/es.json`	📈 +85 B (+0.05%)	182.09 kB → 182.18 kB

View detailed bundle breakdown

Added
No assets were added

Removed
No assets were removed

Bigger

Asset	File Size	% Changed
static/js/es.js	182.09 kB → 182.18 kB (+85 B)	+0.05%

Smaller
No assets were smaller

Unchanged

Asset	File Size	% Changed
static/js/index.js	3.23 MB	0%
static/js/BackgroundImage.js	119.98 kB	0%
static/js/FormulaEditor.js	846.44 kB	0%
static/js/ReportRouter.js	1.02 MB	0%
static/js/TransactionList.js	81.29 kB	0%
static/js/ca.js	182.91 kB	0%
static/js/da.js	104.66 kB	0%
static/js/de.js	174.79 kB	0%
static/js/en-GB.js	7.16 kB	0%
static/js/en.js	170.76 kB	0%
static/js/fr.js	177.47 kB	0%
static/js/indexeddb-main-thread-worker-e59fee74.js	13.46 kB	0%
static/js/it.js	166.25 kB	0%
static/js/narrow.js	354.5 kB	0%
static/js/nb-NO.js	152.2 kB	0%
static/js/nl.js	108.93 kB	0%
static/js/pl.js	88.34 kB	0%
static/js/pt-BR.js	177.84 kB	0%
static/js/resize-observer.js	18.03 kB	0%
static/js/sv.js	80.58 kB	0%
static/js/th.js	179.94 kB	0%
static/js/theme.js	30.68 kB	0%
static/js/uk.js	213.14 kB	0%
static/js/useTransactionBatchActions.js	4.29 MB	0%
static/js/wide.js	418 B	0%
static/js/workbox-window.prod.es5.js	7.28 kB	0%

loot-core

Total

Files count	Total bundle size	% Changed
1	4.83 MB	0%

View detailed bundle breakdown

Added
No assets were added

Removed
No assets were removed

Bigger
No assets were bigger

Smaller
No assets were smaller

Unchanged

Asset	File Size	% Changed
kcab.worker.CwpE34S5.js	4.83 MB	0%

api

Total

Files count	Total bundle size	% Changed
4	4.06 MB	0%

View detailed bundle breakdown

Added
No assets were added

Removed
No assets were removed

Bigger
No assets were bigger

Smaller
No assets were smaller

Unchanged

Asset	File Size	% Changed
index.js	3.84 MB	0%
from-Bl-Hslp4.js	167.73 kB	0%
multipart-parser-BnDysoMr.js	8.1 kB	0%
src-iMkUmuwR.js	43.64 kB	0%

cli

Total

Files count	Total bundle size	% Changed
1	7.88 MB	0%

View detailed bundle breakdown

Added
No assets were added

Removed
No assets were removed

Bigger
No assets were bigger

Smaller
No assets were smaller

Unchanged

Asset	File Size	% Changed
cli.js	7.88 MB	0%

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/actualbudget/actual/pull/7343 **Author:** [@MatissJanis](https://github.com/MatissJanis) **Created:** 3/31/2026 **Status:** ✅ Merged **Merged:** 3/31/2026 **Merged by:** [@MatissJanis](https://github.com/MatissJanis) **Base:** `master` ← **Head:** `pin-axios-1.14.0` --- ### 📝 Commits (2) - [`791b035`](https://github.com/actualbudget/actual/commit/791b035f66561fc6ca3a5cab72fb2ca282dd22d8) [AI] Pin axios to 1.14.0 to avoid vulnerable 1.14.1 - [`95dcc85`](https://github.com/actualbudget/actual/commit/95dcc851dfec445e66b5a469a468888e73573974) Add release notes for PR #7343 ### 📊 Changes **3 files changed** (+8 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `package.json` (+1 -0) ➕ `upcoming-release-notes/7343.md` (+6 -0) 📝 `yarn.lock` (+1 -1) </details> ### 📄 Description Pin axios to exactly 1.14.0 via yarn resolutions to prevent upgrading to 1.14.1, which has a critical vulnerability. axios is a transitive dependency (via nordigen-node), so the resolution ensures it stays pinned regardless of semver range  <hr />  ### Bundle Stats Bundle | Files count | Total bundle size | % Changed ------ | ----------- | ----------------- | --------- desktop-client | 27 | 12.09 MB → 12.09 MB (+85 B) | +0.00% loot-core | 1 | 4.83 MB | 0% api | 4 | 4.06 MB | 0% cli | 1 | 7.88 MB | 0% <details> <summary>View detailed bundle stats</summary> #### desktop-client **Total** Files count | Total bundle size | % Changed ----------- | ----------------- | --------- 27 | 12.09 MB → 12.09 MB (+85 B) | +0.00% <details> <summary>Changeset</summary> File | Δ | Size ---- | - | ---- `locale/es.json` | 📈 +85 B (+0.05%) | 182.09 kB → 182.18 kB </details> <details> <summary>View detailed bundle breakdown</summary> <div> **Added** No assets were added **Removed** No assets were removed **Bigger** Asset | File Size | % Changed ----- | --------- | --------- static/js/es.js | 182.09 kB → 182.18 kB (+85 B) | +0.05% **Smaller** No assets were smaller **Unchanged** Asset | File Size | % Changed ----- | --------- | --------- static/js/index.js | 3.23 MB | 0% static/js/BackgroundImage.js | 119.98 kB | 0% static/js/FormulaEditor.js | 846.44 kB | 0% static/js/ReportRouter.js | 1.02 MB | 0% static/js/TransactionList.js | 81.29 kB | 0% static/js/ca.js | 182.91 kB | 0% static/js/da.js | 104.66 kB | 0% static/js/de.js | 174.79 kB | 0% static/js/en-GB.js | 7.16 kB | 0% static/js/en.js | 170.76 kB | 0% static/js/fr.js | 177.47 kB | 0% static/js/indexeddb-main-thread-worker-e59fee74.js | 13.46 kB | 0% static/js/it.js | 166.25 kB | 0% static/js/narrow.js | 354.5 kB | 0% static/js/nb-NO.js | 152.2 kB | 0% static/js/nl.js | 108.93 kB | 0% static/js/pl.js | 88.34 kB | 0% static/js/pt-BR.js | 177.84 kB | 0% static/js/resize-observer.js | 18.03 kB | 0% static/js/sv.js | 80.58 kB | 0% static/js/th.js | 179.94 kB | 0% static/js/theme.js | 30.68 kB | 0% static/js/uk.js | 213.14 kB | 0% static/js/useTransactionBatchActions.js | 4.29 MB | 0% static/js/wide.js | 418 B | 0% static/js/workbox-window.prod.es5.js | 7.28 kB | 0% </div> </details> --- #### loot-core **Total** Files count | Total bundle size | % Changed ----------- | ----------------- | --------- 1 | 4.83 MB | 0% <details> <summary>View detailed bundle breakdown</summary> <div> **Added** No assets were added **Removed** No assets were removed **Bigger** No assets were bigger **Smaller** No assets were smaller **Unchanged** Asset | File Size | % Changed ----- | --------- | --------- kcab.worker.CwpE34S5.js | 4.83 MB | 0% </div> </details> --- #### api **Total** Files count | Total bundle size | % Changed ----------- | ----------------- | --------- 4 | 4.06 MB | 0% <details> <summary>View detailed bundle breakdown</summary> <div> **Added** No assets were added **Removed** No assets were removed **Bigger** No assets were bigger **Smaller** No assets were smaller **Unchanged** Asset | File Size | % Changed ----- | --------- | --------- index.js | 3.84 MB | 0% from-Bl-Hslp4.js | 167.73 kB | 0% multipart-parser-BnDysoMr.js | 8.1 kB | 0% src-iMkUmuwR.js | 43.64 kB | 0% </div> </details> --- #### cli **Total** Files count | Total bundle size | % Changed ----------- | ----------------- | --------- 1 | 7.88 MB | 0% <details> <summary>View detailed bundle breakdown</summary> <div> **Added** No assets were added **Removed** No assets were removed **Bigger** No assets were bigger **Smaller** No assets were smaller **Unchanged** Asset | File Size | % Changed ----- | --------- | --------- cli.js | 7.88 MB | 0% </div> </details> </details>  --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-26 10:47:23 -05:00

GiteaMirror closed this issue

2026-04-26 10:47:26 -05:00

Sign in to join this conversation.

Branches Tags

master

claude/hide-default-categories-1cwBZ

matiss/crdt-source-loading

youngcw/unlock-duplicates

matiss/crdt-protobuf

release/26.5.0

claude/update-issue-template-ykMNn

claude/fix-issue-7667-DPXi3

cursor/formula-feedback-improvements-4223

cursor/resolve-pr-7449-ee11

claude/fix-typescript-build-error-JPtZ5

jfdoming/api-tokens-part-3

jfdoming/api-tokens-part-2

jfdoming/api-tokens-part-1

claude/speed-up-vrt-workflow-ZAyI5

claude/crdt-version-auto-publish-Ph1BH

copilot/add-repository-configs-to-packages

worktree-compressed-drifting-ritchie

worktree-mellow-strolling-dawn

matiss/browser-api

claude/api-consumer-verification-kfz1K

feature/enable-banking

cursor/transaction-table-rewrite-f077

pr-7454

claude/fix-issue-7410-LLLQ4

release/v100.0.0

revert-7350-trim-deps

revert-7220-sankey-report

revert-7242-fix/split-parent-update-corruption

revert-7281-generate-icons

claude/electron-to-tauri-migration-LjBN8

worktree-remotion

release/vv26.4.0-pre

claude/browser-compatible-api-QbhHh

claude/improve-cli-transactions-waTUY

claude/publish-react-native-ios-j8qoT

js-proxy

claude/fix-flaky-ci-job-5gDdz

react-query-rules

react-query-useSchedules

claude/nightly-theme-validation-scan-DzOGD

claude/debug-simplefin-error-ZuKzB

matiss/desktop-client-subpath-imports

claude/fix-simplefin-ssrf-T31gX

claude/release-notes-validation-X7rvR

add-claude-github-actions-1772738270730

cursor/sync-performance-notification-9899

react-query-prefs

matiss/chunked-sync-and-progress-ux

v26.2.1

copilot/sub-pr-6880

fix-react-query-clear-on-close-budget

copilot/sub-pr-6140

feat/auto-note

feat/scoped-bank-sync

cursor/desktop-transactions-react-table-1d0c

fix-exhaustive-deps-App

copilot/fix-find-replace-bug

release/v26.2.0-pre

matiss/browser-tests

mobile-fix-drag-and-drop-across-groups

budget-table-v2

PayeeAutocomplete2

pglite

bugfix/plugins/fix-plugins-sw

feat/plugins/plugins-core-package

prerelease

matiss/unicode-minus-fix

cursor/fix-actual-github-issue-6206-gemini-3-pro-preview-9c37

TransactionFormPage

cursor/implement-mortgage-and-loan-account-type-78ca

tests-update-fill-with-pressSequentially

mobile/link-modal

deps/25.11

cursor/fix-update-vrt-apply-ci-job-dispatch-b324

sync-server-plugins

cursor/propose-patch-for-github-issue-5680-2a18

fix/compiler-preserve-inner-dollar-escapes

cursor/analyze-actual-budget-issue-and-propose-fix-5b70

coderabbitai/docstrings/0c070e5

cursor/add-wip-prefix-and-comment-to-prs-d78d

jfdoming/08-21-auto-focus-on-navigate-in-all-browsers

show-totals-on-mobile-budget-banners

allow-child-transactions-make-transfer

mobile-calculator-keyboard

payee-geolocation

enhance/restore_scroll_position

dm-fix-second-click-on-mobile-new-transaction-2

scrollToLocationBudget

alert-autofix-38

tsconfig-composite

mobile-fix-uncategorized-transactions-on-tracking-budgets

server-budget-handlers

fix-sql-injection-in-cleanup-template

non-chrome-draggable-workaround

mobile-budget-page-swipe-navigation

ts-db-all

stable

dark-theme-with-brand-colors

fix-mobile-delete-group

ts-db-select

UnderKoen/reconcile-context-menu

master-before-server-merge

v25.2.1

ts-runQuery

rename-redux-hooks

UnderKoen/3557-persist-state-in-history

remove-redux-CLOSE_BUDGET

fix-exhaustive-deps-errors-FinancesApp

redux-toolkit-createSlice-backup

accounts-function-component

ts-useSplitsExpanded

loot-core-server-package

useTransactios-in-TransactionEdit

react-aria-input

move-redux-to-desktop-client

QueryState-type

fix-themes-applied-late

mobile-vrts

revert-3295-spendingCardFix

react-aria-button-4

split-payee-on-mobile

twk3/pin-apis-crdt

notes-tag-autocomplete

ts-LoadBackup

dnd-kit

package-upgrades

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/actual#48915