Bump axios to 1.15.0 to fix GHSA-3p68-rc4w-qgx5 / GHSA-fvcv-3m26-pcqx

noel-enquanta · noel-enquanta · commit fc3c0919ca14 · 2026-04-13T08:44:07.000-05:00
axios &lt;=1.14.0 has an SSRF via NO_PROXY bypass and header-injection
cloud-metadata exfil vulnerability. Bump to ^1.15.0.

Also add npm overrides for diff (&gt;=8.0.3) and serialize-javascript
(&gt;=7.0.5) to clear mocha-transitive advisories. npm audit now reports
0 vulnerabilities.
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@voiceittech/voiceit3-nodejs",
-  "version": "3.0.5",
+  "version": "3.0.6",
   "description": "VoiceIt's API 3.0 Face + Voice Verification/Identification Node Wrapper",
   "main": "index.js",
   "scripts": {
@@ -27,12 +27,16 @@
   },
   "homepage": "https://github.com/voiceittech/voiceit3-nodejs#readme",
   "dependencies": {
-    "axios": "^1.13.5",
+    "axios": "^1.15.0",
     "form-data": "^4.0.4"
   },
   "devDependencies": {
     "mocha": "11.7.5"
   },
+  "overrides": {
+    "diff": "^8.0.3",
+    "serialize-javascript": "^7.0.5"
+  },
   "publishConfig": {
     "registry": "https://npm.pkg.github.com"
   }
