appwrite · eldadfux · Mar 31, 2026 · Mar 31, 2026 · Mar 31, 2026 · Mar 31, 2026
diff --git a/.optimize-cache.json b/.optimize-cache.json
@@ -889,6 +889,7 @@
   "images/blog/scan-receipts-with-appwrite-functions/scan-function.png": "1223d882682d8c34406526e5764968f0de32a5668bd6339cffd4bff0efb75485",
   "images/blog/screenshots-best-practices/cover.png": "85e3a467827c2f52541feaaafeac90e411252dad0ff3a0b9688e31e782836160",
   "images/blog/secure-user-data-non-expert/cover.png": "763c1181c63cb099f1fc19da5044287690d9ce5d7c80005f368c36b650928b80",
+  "images/blog/security-update-regarding-the-axios-npm-incident/cover.png": "8f05bcaf2aad7786b043d17421f69fbe19f49b11c4c10a576898c2438076e130",
   "images/blog/self-hosted-vs-managed-backends-a-practical-comparison/cover.png": "9a819d76faf91a78fc6116b4202f08290d24a6002bcdd737dca2f85bd2546793",
   "images/blog/self-hosting-appwrite-with-coolify/add-appwrite.png": "b1efadc68d075357c32698569856f7cb106ddce6caf3b88e50698a1ef97e283a",
   "images/blog/self-hosting-appwrite-with-coolify/add-ssh-key-to-digitalocean.png": "0eb128b8cdfde988da008385254e1c49621e4b98072f3959267a32b5765df827",

diff --git a/src/routes/blog/post/security-update-regarding-the-axios-npm-incident/+page.markdoc b/src/routes/blog/post/security-update-regarding-the-axios-npm-incident/+page.markdoc
@@ -0,0 +1,37 @@
+---
+layout: post
+title: "Security update regarding the Axios npm incident"
+description: Appwrite's production repositories, SDKs, and tooling chain were not impacted by the compromised Axios npm releases.
+date: 2026-03-31
+cover: /images/blog/security-update-regarding-the-axios-npm-incident/cover.png
+timeToRead: 3
+author: eldad-fux
+category: security
+featured: false
+---
+
+We want to share a brief update regarding the recent Axios supply chain incident on npm, where malicious package versions were reportedly published after a maintainer account was compromised.
+
+After reviewing Appwrite's production repositories, SDKs, and tooling chain, we can confirm that Appwrite's SDKs and tooling were not impacted by the compromised Axios releases.
+
+Our JavaScript and TypeScript SDKs use native platform capabilities such as `fetch` rather than Axios, and our review did not identify exposure in the parts of our stack that ship to customers. Based on our internal assessment, no emergency customer action is required specifically for Appwrite services or Appwrite SDK usage.
+
+With that said, incidents like this are a strong reminder of the risks involved in modern software supply chains. Even when a project is not directly affected, transitive dependencies and package resolution behavior can create avoidable exposure if dependency versions are left too open.
+
+# What we recommend
+
+We recommend that customers review their own JavaScript and TypeScript projects and make sure dependencies are pinned appropriately, especially in production environments. Version pinning and committed lockfiles reduce the chance of unintentionally pulling newly published malicious or compromised packages through semver-compatible ranges.
+
+As part of our response, we have also introduced additional safeguards across our TypeScript-based SDK workflow:
+
+- We have added stronger lockfile handling to improve dependency reproducibility.
+- We have updated our SDK generation and release process to make dependency changes more visible during review.
+- We are enforcing stricter install behavior in CI so dependency trees stay aligned with reviewed lockfiles instead of resolving new versions automatically.
+
+These changes are not a response to a direct compromise in Appwrite, but an extra layer of protection to further harden our release process against future ecosystem incidents.
+
+# Our assessment
+
+Appwrite's SDKs and tooling chain were not impacted by the compromised Axios packages. We have still taken additional preventive steps to strengthen our dependency management and release pipeline, and we encourage all customers to do the same in their own projects.
+
+We will continue monitoring the ecosystem and tightening safeguards where it makes sense.
diff --git a/src/routes/changelog/(entries)/2026-03-31.markdoc b/src/routes/changelog/(entries)/2026-03-31.markdoc
@@ -0,0 +1,14 @@
+---
+layout: changelog
+title: "Security update: Axios npm incident"
+date: 2026-03-31
+cover: /images/blog/security-update-regarding-the-axios-npm-incident/cover.png
+---
+
+We have reviewed Appwrite's production repositories, SDKs, and tooling chain following the recent Axios npm supply chain incident, and confirmed that Appwrite SDKs and tooling were not impacted by the compromised Axios releases.
+
+Our JavaScript and TypeScript SDKs use native platform APIs such as `fetch` rather than Axios. While no direct exposure was found in Appwrite deliverables, we still added extra safeguards to our TypeScript SDK workflow, including stronger lockfile handling, stricter CI install behavior, and improved dependency visibility during release review.
+
+{% arrow_link href="/blog/post/security-update-regarding-the-axios-npm-incident" %}
+Read the full security update
+{% /arrow_link %}
diff --git a/static/images/blog/security-update-regarding-the-axios-npm-incident/cover.png b/static/images/blog/security-update-regarding-the-axios-npm-incident/cover.png