fix(deps): security update — 1 package(s) [risk: MED]

[aniket-shikhare-cstk]

Security Fix — SnykrAI

Verification

• Dependencies resolve
• Build passes (npm run build --if-present)
• Tests pass (npm test)

Risk: MEDIUM

Minor version upgrade. New features possible, breaking changes unlikely.

Vulnerabilities Addressed

CRITICAL: Unintended Proxy or Intermediary ('Confused Deputy')

Detail	Value
Package	axios@1.13.6
Dependency type	Direct
CVE	CVE-2025-62718
CWE	CWE-441
CVSS	9.1
Vulnerable range	<1.15.0
Fixed in	1.15.0
Snyk ID	SNYK-JS-AXIOS-15965856
Published	2026-04-10

HIGH: HTTP Response Splitting

Detail	Value
Package	axios@1.13.6
Dependency type	Direct
CVE	CVE-2026-40175
CWE	CWE-113
CVSS	7
Vulnerable range	<1.15.0
Fixed in	1.15.0
Snyk ID	SNYK-JS-AXIOS-15969258
Published	2026-04-10

Dependency Upgrades

Package	From	To	Risk	Reasoning
axios	1.13.6	1.15.0	minor	Upgrading to 1.15.0 as specified in Snyk's fixed_in field, which resolves both the critical and high severity vulnera...

Changelog & Impact Analysis

axios (1.13.6 → 1.15.0)

Registry: https://www.npmjs.com/package/axios?activeTab=versions

Release Notes:

This release delivers two critical security patches, adds runtime support for Deno and Bun, and includes significant CI hardening, documentation improvements, and routine dependency updates.

## ⚠️ Important Changes

* **Deprecation:** `url.parse()` usage has been replaced to address Node.js deprecation warnings. If you are on a recent version of Node.js, this resolves console warnings you may have been seeing. (__#10625__)

## 🔒 Security Fixes

* **Proxy Handling:** Fixed a `no_proxy` hostname normalisation bypass that could lead to Server-Side Request Forgery (SSRF). (__#10661__)
* **Header Injection:** Fixed an unrestricted cloud metadata exfiltration vulnerability via a header injection chain. (__#10660__)

## 🚀 New Features

* **Runtime Support:** Added compatibility checks and documentation for Deno and Bun environments. (__#10652__, __#10653__)

## 🔧 Maintenance & Chores

* **CI Security:** Hardened workflow permissions to least privilege, added the `zizmor` security scanner, pinned action versions, and gated npm publishing with OIDC and environment protection. (__#10618__, __#10619__, __#10627__, __#10637__, __#10666__)
* **Dependencies:** Bumped `serialize-javascript`, `handlebars`, `picomatch`, `vite`, and `denoland/setup-deno` to latest versions. Added a 7-day Dependabot cooldown period. (__#10574__, __#10572__, __#10568__, __#10663__, __#10664__, __#10665__, __#10669__, __#10670__, __#10616__)
* **Documentation:** Unified docs, improved `beforeR

... _(truncated)_

Files using this package (41):

• ./node_modules/@contentstack/management/types/contentstackClient.d.ts
• ./node_modules/@contentstack/marketplace-sdk/types/contentstackClient.d.ts
• ./node_modules/@contentstack/cli-utilities/lib/http-client/http-response.d.ts
• ./node_modules/@contentstack/cli-utilities/lib/http-client/client.d.ts
• ./node_modules/axios/index.d.ts
• ./src/core/contentstack/client.ts
• ./node_modules/@contentstack/management/dist/es5/core/contentstackHTTPClient.js
• ./node_modules/@contentstack/management/dist/es5/core/concurrency-queue.js
• ./node_modules/@contentstack/management/dist/es5/core/oauthHandler.js
• ./node_modules/@contentstack/management/dist/es5/contentstackClient.js
• ...and 31 more

LLM Impact Analysis:

Likely safe (high confidence). The upgrade from axios 1.13.6 to 1.15.0 contains only security fixes, runtime compatibility additions, and maintenance changes with no removed or renamed APIs that affect the existing source code.

Metadata

LLM Provider	anthropic
Strategy	aggressive
Total issues	7
Fixable	2
Ecosystem	npm
Generated	2026-04-14 21:06 UTC

---

Automated by SnykrAI — draft PR, needs human review before merging.

[github-actions]

🔒 Security Scan Results

ℹ️ Note: Only vulnerabilities with available fixes (upgrades or patches) are counted toward thresholds.

Check Type	Count (with fixes)	Without fixes	Threshold	Result
🔴 Critical Severity	0	0	10	✅ Passed
🟠 High Severity	10	1	25	✅ Passed
🟡 Medium Severity	12	5	500	✅ Passed
🔵 Low Severity	0	0	1000	✅ Passed

⏱️ SLA Breach Summary

⚠️ Warning: The following vulnerabilities have exceeded their SLA thresholds (days since publication).

Severity	Breaches (with fixes)	Breaches (no fixes)	SLA Threshold (with/no fixes)	Status
🔴 Critical	0	0	15 / 30 days	✅ Passed
🟠 High	0	0	30 / 120 days	✅ Passed
🟡 Medium	0	1	90 / 365 days	⚠️ Warning
🔵 Low	0	0	180 / 365 days	✅ Passed

ℹ️ Vulnerabilities Without Available Fixes (Informational Only)

The following vulnerabilities were detected but do not have fixes available (no upgrade or patch). These are excluded from failure thresholds:

• Critical without fixes: 0
• High without fixes: 1
• Medium without fixes: 5
• Low without fixes: 0

⚠️ BUILD PASSED WITH WARNINGS - SLA breaches detected for issues without available fixes

Consider reviewing these vulnerabilities when fixes become available.