Skip to content

chore(deps): pin axios to 1.8.4 to unblock CI#370

Open
luis-almeida wants to merge 1 commit into
masterfrom
luis/pin_axios_version
Open

chore(deps): pin axios to 1.8.4 to unblock CI#370
luis-almeida wants to merge 1 commit into
masterfrom
luis/pin_axios_version

Conversation

@luis-almeida

@luis-almeida luis-almeida commented May 7, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Description

All PRs cut after 2026-05-01 have red CI in zcli-core/src/lib/auth.test.ts. Root cause: lerna bootstrap re-resolves axios: ^1.7.5 inside each package and overwrites the root node_modules/axios away from the locked 1.8.4. Recent axios releases changed the fetch adapter's error-path handling, breaking the existing test stubs.

Pinning axios to an exact 1.8.4 removes the drift. 1.8.4 is also the first version with the fix for CVE-2025-27152 (affects <1.8.2). Adding --frozen-lockfile to CI's yarn install makes any future resolver drift a hard CI failure instead of a silent one.

Timeline

  • 2024-09-05 — PR [VEG-2395] axios fetch adapter  #253 lands with axios: ^1.7.5 and switches to axios' fetch adapter. The caret range makes resolution time-dependent.
  • 2025-03-19 — axios 1.8.4 published. Lockfile pins to this; CI + cache keep it stable.
  • 2026-05-01 — last green master CI run, still resolving to 1.8.4.
  • 2026-05-02 — axios 1.16.0 published and tagged latest. The fetch adapter's error path now touches response.body, which the auth.test.ts stubs don't provide.
  • 2026-05-07 — first PR to hit the new resolution (fix(themes): several fixes for themes:preview and themes:migrate #369). yarn install → lerna bootstrap → drift → 4 failures in auth.test.ts. Every PR opened from now on is red until master is fixed.

References

N/A

Risks

Low. 1.8.4 is what master's last green CI resolved to. Unblocks #369 and every other PR.

@luis-almeida
chore(deps): pin axios to 1.8.4 and require frozen lockfile in CI
cfba4c0 
lerna bootstrap was running yarn install inside each package and
drifting the root node_modules/axios from the locked 1.8.4 to
whatever ^1.7.5 currently resolves to (1.16.0), breaking
zcli-core/src/lib/auth.test.ts in axios' fetch adapter.
Pinning to an exact version removes the drift, and --frozen-lockfile
makes future resolver drift a CI failure instead of a silent one.
@luis-almeida luis-almeida mentioned this pull request May 7, 2026
Merged
@luis-almeida luis-almeida marked this pull request as ready for review May 7, 2026 14:00
Copilot AI review requested due to automatic review settings May 7, 2026 14:00
@luis-almeida luis-almeida requested review from a team as code owners May 7, 2026 14:00
Copilot AI reviewed May 7, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins axios to an exact version across the monorepo to eliminate version drift introduced by lerna bootstrap during postinstall, restoring CI stability (notably zcli-core/src/lib/auth.test.ts) and ensuring CI fails fast if the lockfile and manifests diverge.

Changes:

  • Pin axios from ^1.7.5 to 1.8.4 in all packages that declare it directly.
  • Update yarn.lock to reflect the pinned axios@1.8.4 resolution.
  • Make CI installs deterministic by switching to yarn install --frozen-lockfile in the test workflow.

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated no comments.

Show a summary per file
File Description
yarn.lock Updates the locked axios resolution key to include axios@1.8.4.
packages/zcli-themes/package.json Pins axios to 1.8.4 to prevent bootstrap re-resolving.
packages/zcli-core/package.json Pins axios to 1.8.4 to stabilize auth/request behavior under CI.
packages/zcli-connectors/package.json Pins axios to 1.8.4 for consistent installs across packages.
packages/zcli-apps/package.json Pins axios to 1.8.4 for consistent installs across packages.
.github/workflows/test.yml Uses --frozen-lockfile to prevent silent dependency drift in CI.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@luis-almeida luis-almeida mentioned this pull request May 7, 2026
Merged
@mmassaki

mmassaki commented May 8, 2026

Copy link
Copy Markdown
Contributor

I'd recommend going with #371, which address the issue with the latest version of axios.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@luis-almeida @mmassaki