Context
GitHub Security Advisory landed flagging axios <1.16.0 for two HIGH-severity vulnerabilities:
postmark@4.0.7 declares axios: ^1.13.5. The caret already allows axios 1.16+, so the runtime is unaffected — but workspaces using strict resolution (and downstream consumers running npm audit --audit-level=high --prod in CI) all fail the audit step on transitive postmark > axios paths.
Suggested fix
Bump the declared minimum to axios: ^1.16.0 in package.json. No code change required — postmark already works fine with axios 1.16+ in the existing range.
Workaround (for consumers reading this)
Until released, override transitively via your package manager:
pnpm (workspace root):
"pnpm": {
"overrides": {
"axios": ">=1.16.0"
}
}npm 8.3+:
"overrides": {
"axios": ">=1.16.0"
}yarn:
"resolutions": {
"axios": ">=1.16.0"
}Happy to send a PR with the bump if it's helpful.
Environment
- postmark: 4.0.7
- axios (resolved before override): 1.13.5
- Node: 22.x
- pnpm: 10.x
Context
GitHub Security Advisory landed flagging axios <1.16.0 for two HIGH-severity vulnerabilities:
shouldBypassProxydoesn't recognize certain proxy bypass patternsshouldBypassProxypostmark@4.0.7 declares
axios: ^1.13.5. The caret already allows axios 1.16+, so the runtime is unaffected — but workspaces using strict resolution (and downstream consumers runningnpm audit --audit-level=high --prodin CI) all fail the audit step on transitivepostmark > axiospaths.Suggested fix
Bump the declared minimum to
axios: ^1.16.0inpackage.json. No code change required — postmark already works fine with axios 1.16+ in the existing range.Workaround (for consumers reading this)
Until released, override transitively via your package manager:
pnpm (workspace root):
npm 8.3+:
yarn:
Happy to send a PR with the bump if it's helpful.
Environment