fix: override axios to ^1.15.0 for CVE-2025-62718

[stefans71]

Summary

• Adds "axios": "^1.15.0" to overrides in root package.json to fix CVE-2025-62718
• Axios is a transitive dependency via @slack/bolt (^1.12.0) and @slack/web-api (^1.13.5) — both already accept >=1.15.0 via their semver ranges
• The CVE allows bypassing NO_PROXY rules via hostname normalization, potentially leading to SSRF

Closes #1053

Test plan

• bun install resolves axios to 1.15.0 in lockfile
• bun run type-check passes
• bun run validate passes (CI)

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated package dependency override configurations for improved stability and compatibility.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6dd510fc-bdd2-459c-b365-0fc82a975390

📥 Commits

Reviewing files that changed from the base of the PR and between eb75ab6 and c4be95a.

⛔ Files ignored due to path filters (1)

• bun.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• package.json

---

📝 Walkthrough

Walkthrough

Updated package.json overrides configuration to pin axios to version ^1.15.0 and reformatted the test-exclude override entry. No exported or public code entities were modified.

Changes

Cohort / File(s)	Summary
Dependency Overrides package.json	Added axios dependency override pinned to ^1.15.0; reformatted test-exclude override entry for consistency.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Through dependency fields I hop and bound,
Axios patched, a fix profound,
CVE-2025 now sealed so tight,
Proxy rules shine bright,
Security strengthened with delight! 🔐

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description provides essential context (CVE details, dependency chain, security implications) and includes test evidence, but omits most structured sections from the template.	Add risk assessment (low/medium/high), module labeling, change metadata, architecture context, and rollback plan to align with repository template standards.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically identifies the main change: overriding axios to a patched version to address CVE-2025-62718.
Linked Issues check	✅ Passed	The PR successfully addresses all primary requirements from issue #1053: updates axios to a non-vulnerable version compatible with existing dependencies and prevents NO_PROXY bypass vulnerabilities.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to resolving CVE-2025-62718; only package.json overrides were modified with no unrelated alterations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Wirasm]

Thanks for catching this, @stefans71 — closing and re-opening on current `dev` with full credit to you. Your branch is 8 days behind `dev` and `bun.lock` conflicts on unrelated version bumps (0.3.5 → 0.3.6), so a one-line fix is cleaner re-done on a fresh branch than rebased. Crediting via `Co-authored-by:` on the replacement commit.

Follow-up PR is inbound — will link it here.

[Wirasm]

@stefans71 this PR looks similar to the already-merged #1330 (merged 2026-04-22). The axios CVE-2025-62718 fix appears to have been landed in #1330 with credit to you (as noted in the comment above). Please check whether this PR is still needed — it is likely safe to close.