From 45f6e059dd3b09ffbcefafef6a76460a5f8fa81c Mon Sep 17 00:00:00 2001
From: Yashvanth B L <yashvanthbl137@bitgo.com>
Date: Fri, 10 Apr 2026 01:20:11 +0530
Subject: [PATCH] fix(deps): pin axios to 1.15.0 for CVE-2025-62718

CGARD-783
---
 package.json |  4 ++--
 yarn.lock    | 15 ++++++++++-----
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/package.json b/package.json
index 13f10c100f..a9ab940071 100644
--- a/package.json
+++ b/package.json
@@ -102,7 +102,7 @@
     "@polkadot/keyring": "13.5.6",
     "elliptic": "^6.6.1",
     "cookie": "^0.7.1",
-    "axios": "^1.13.0",
+    "axios": "1.15.0",
     "canvg": "4.0.3",
     "**/stellar-sdk/**/bignumber.js": "4.1.0",
     "**/stellar-base/**/bignumber.js": "4.1.0",
@@ -165,7 +165,7 @@
     "test:prepare-release": "mocha --require tsx ./scripts/tests/prepareRelease/prepare-release-main.test.ts"
   },
   "dependencies": {
-    "axios": "^1.13.0",
+    "axios": "1.15.0",
     "terser": "^5.14.2",
     "tmp": "^0.2.3",
     "bigint-buffer": "npm:@trufflesuite/bigint-buffer@1.1.10"
diff --git a/yarn.lock b/yarn.lock
index 3e8f1381b3..a0adb80f07 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -7552,14 +7552,14 @@ aws4@^1.8.0:
   resolved "https://registry.npmjs.org/aws4/-/aws4-1.13.2.tgz"
   integrity sha512-lHe62zvbTB5eEABUVi/AwVh0ZKY9rMMDhmm+eeyuuUQbQ3+J+fONVQOZyj+DdrvD4BY33uYniyRJ4UJIaSKAfw==
 
-axios@0.25.0, axios@0.27.2, axios@1.7.4, axios@^0.21.2, axios@^0.26.1, axios@^1.13.0, axios@^1.6.0, axios@^1.8.3:
-  version "1.13.5"
-  resolved "https://registry.npmjs.org/axios/-/axios-1.13.5.tgz#5e464688fa127e11a660a2c49441c009f6567a43"
-  integrity sha512-cz4ur7Vb0xS4/KUN0tPWe44eqxrIu31me+fbang3ijiNscE129POzipJJA6zniq2C/Z6sJCjMimjS8Lc/GAs8Q==
+axios@0.25.0, axios@0.27.2, axios@1.15.0, axios@1.7.4, axios@^0.21.2, axios@^0.26.1, axios@^1.13.0, axios@^1.6.0, axios@^1.8.3:
+  version "1.15.0"
+  resolved "https://registry.npmjs.org/axios/-/axios-1.15.0.tgz#0fcee91ef03d386514474904b27863b2c683bf4f"
+  integrity sha512-wWyJDlAatxk30ZJer+GeCWS209sA42X+N5jU2jy6oHTp7ufw8uzUTVFBX9+wTfAlhiJXGS0Bq7X6efruWjuK9Q==
   dependencies:
     follow-redirects "^1.15.11"
     form-data "^4.0.5"
-    proxy-from-env "^1.1.0"
+    proxy-from-env "^2.1.0"
 
 b4a@^1.6.4:
   version "1.7.3"
@@ -17476,6 +17476,11 @@ proxy-from-env@^1.1.0:
   resolved "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz"
   integrity sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==
 
+proxy-from-env@^2.1.0:
+  version "2.1.0"
+  resolved "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-2.1.0.tgz#a7487568adad577cfaaa7e88c49cab3ab3081aba"
+  integrity sha512-cJ+oHTW1VAEa8cJslgmUZrc+sjRKgAKl3Zyse6+PV38hZe/V6Z14TbCuXcan9F9ghlz4QrFr2c92TNF82UkYHA==
+
 proxyquire@^2.1.3:
   version "2.1.3"
   resolved "https://registry.npmjs.org/proxyquire/-/proxyquire-2.1.3.tgz"