Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AXIOS-15252993
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| }, | ||
| "dependencies": { | ||
| "@azure/ms-rest-js": "^1.5.0", | ||
| "@azure/ms-rest-js": "^2.0.0", |
There was a problem hiding this comment.
Major version bump of @azure/ms-rest-js risks breaking generated code
High Severity
@azure/ms-rest-js is upgraded from v1 to v2, a major version bump that Snyk itself flags as "isBreakingChange":true. The codebase extensively uses this library's URLBuilder, CompositeMapper, MapperType, and Serializer across 7+ generated and hand-written source files. The v2 release replaced the internal HTTP transport from axios to node-fetch and dropped the @azure/core-auth dependency. No accompanying code changes were made to verify or adapt to potential API/behavioral differences. The lockfile also pins to the earliest v2 release (v2.0.0) rather than the latest v2.7.0 which includes years of bug fixes.
| "@azure/ms-rest-js": "^2.0.0", | ||
| "args": "^5.0.1", | ||
| "axios": "^0.27.0", | ||
| "axios": "^1.13.5", |
There was a problem hiding this comment.
Major axios upgrade adds proxy auto-detection behavior
Medium Severity
axios is upgraded from v0.27 to v1.13.5, a major version bump that adds proxy-from-env as a new dependency. This means axios now automatically detects and routes requests through proxies configured via HTTP_PROXY/HTTPS_PROXY environment variables. In BlobHandler.ts, axios.get() is used for copy source validation, and this new proxy behavior could cause requests to fail or route through unintended proxies in environments where those variables are set. No code changes were made to opt out of this behavior.
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonpackage-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-AXIOS-15252993
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Prototype Pollution
Note
Medium Risk
This is primarily a dependency upgrade, but it includes major-version bumps (
axiosand@azure/ms-rest-js) that may introduce runtime or typing incompatibilities in code paths that use these libraries.Overview
Updates runtime dependencies to remediate a Snyk-reported vulnerability by upgrading
axiosfrom0.27.xto1.13.5and@azure/ms-rest-jsfrom1.xto2.0.0.Regenerates
package-lock.jsonto reflect the new transitive dependency graph (e.g.,proxy-from-env,node-fetch, and related helper packages) pulled in by the upgraded versions.Written by Cursor Bugbot for commit 143008b. This will update automatically on new commits. Configure here.