Skip to content

fix(deps): upgrade nx to 22.6.5 to resolve axios security vulnerability#2653

Merged
nperez0111 merged 1 commit into
mainfrom
fix/nx-upgrade-axios-vulnerability
Apr 16, 2026
Merged

fix(deps): upgrade nx to 22.6.5 to resolve axios security vulnerability#2653
nperez0111 merged 1 commit into
mainfrom
fix/nx-upgrade-axios-vulnerability

Conversation

@nperez0111
Copy link
Copy Markdown
Contributor

@nperez0111 nperez0111 commented Apr 16, 2026
edited by coderabbitai Bot
Loading

Summary

This PR fixes Dependabot alert #372 by upgrading nx and related packages to resolve a critical axios security vulnerability.

Changes

  • Upgraded nx from 22.6.4 to 22.6.5
  • Upgraded @nx/js from 22.6.4 to 22.6.5
  • Upgraded @nx/workspace from 22.6.4 to 22.6.5
  • This upgrades the transitive axios dependency from 1.12.0 to 1.15.0 (patched version)

Security Issue

CVE-2025-62718 - Axios NO_PROXY Hostname Normalization Bypass Leading to SSRF

  • Severity: Critical (CVSS 9.9)
  • Affected: axios >= 1.0.0, < 1.15.0
  • Fixed in: axios 1.15.0

The vulnerability allows attackers to bypass NO_PROXY rules through hostname normalization issues, potentially leading to SSRF attacks.

Testing

  • ✅ Built @blocknote/core and @blocknote/react successfully
  • ✅ Verified all axios dependencies upgraded to 1.15.0 via pnpm why axios
  • ✅ No breaking changes detected

References

Summary by CodeRabbit

  • Chores
    • Updated development tooling to the latest patch version for improved stability and compatibility.

@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 16, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
blocknote Ready Ready Preview Apr 16, 2026 4:58pm
blocknote-website Ready Ready Preview Apr 16, 2026 4:58pm

Request Review

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 16, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 52ba9f1a-1e72-44ba-b34e-29fe18d3e64c

📥 Commits

Reviewing files that changed from the base of the PR and between 51e6bcd and ffdf656.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (1)
  • package.json
📝 Walkthrough

Walkthrough

The package.json devDependencies for Nx tooling were updated. Both @nx/js and nx packages were bumped from version 22.6.4 to 22.6.5. No other configuration entries were modified.

Changes

Cohort / File(s) Summary
Nx Tooling Version Update
package.json		 Updated @nx/js and nx devDependencies from 22.6.4 to 22.6.5.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A patch so small, a bump so neat,
Nx now runs with speedier feet,
From four to five, just digits dance,
Dependencies in their springtime prance! 🌱

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change: upgrading nx to resolve an axios security vulnerability, which matches the changeset's focus on dependency version bumps.
Description check ✅ Passed The description includes Summary, Changes, and Testing sections covering the PR's security purpose and validation. However, it deviates from the template by omitting standard sections like Rationale, Impact, and Checklist.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/nx-upgrade-axios-vulnerability

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented Apr 16, 2026
edited
Loading

Open in StackBlitz

@blocknote/ariakit

npm i https://pkg.pr.new/@blocknote/ariakit@2653

@blocknote/code-block

npm i https://pkg.pr.new/@blocknote/code-block@2653

@blocknote/core

npm i https://pkg.pr.new/@blocknote/core@2653

@blocknote/mantine

npm i https://pkg.pr.new/@blocknote/mantine@2653

@blocknote/react

npm i https://pkg.pr.new/@blocknote/react@2653

@blocknote/server-util

npm i https://pkg.pr.new/@blocknote/server-util@2653

@blocknote/shadcn

npm i https://pkg.pr.new/@blocknote/shadcn@2653

@blocknote/xl-ai

npm i https://pkg.pr.new/@blocknote/xl-ai@2653

@blocknote/xl-docx-exporter

npm i https://pkg.pr.new/@blocknote/xl-docx-exporter@2653

@blocknote/xl-email-exporter

npm i https://pkg.pr.new/@blocknote/xl-email-exporter@2653

@blocknote/xl-multi-column

npm i https://pkg.pr.new/@blocknote/xl-multi-column@2653

@blocknote/xl-odt-exporter

npm i https://pkg.pr.new/@blocknote/xl-odt-exporter@2653

@blocknote/xl-pdf-exporter

npm i https://pkg.pr.new/@blocknote/xl-pdf-exporter@2653

commit: ffdf656

@nperez0111 nperez0111 merged commit 0c02871 into main Apr 16, 2026
20 checks passed
@nperez0111 nperez0111 deleted the fix/nx-upgrade-axios-vulnerability branch April 16, 2026 16:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nperez0111