wcmolin opened a new issue, #18255: URL: https://github.com/apache/dolphinscheduler/issues/18255
### Search before asking - [X] I had searched in the [issues](https://github.com/apache/dolphinscheduler/issues?q=is%3Aissue) and found no similar issues. ### What happened `dolphinscheduler-ui/package.json` depends on axios `^0.27.2` (locked at 0.27.2), which is affected by CVE-2026-40175 (CVSS 9.9, Critical). **Details:** - **Advisory**: https://github.com/advisories/GHSA-fvcv-3m26-pcqx - **Patched version**: axios >= 1.15.0 Axios versions prior to 1.15.0 do not validate HTTP header values for CRLF characters. In environments where prototype pollution can occur (e.g., via a vulnerable third-party dependency), this flaw could be exploited for request smuggling, cloud metadata exfiltration, or remote code execution. It is recommended to upgrade axios to `^1.15.0` to address this known vulnerability. ### What you expected to happen Upgrade axios to `^1.15.0`. ### Anything else Upgrading from 0.x to 1.x is a major version bump and may introduce breaking changes. UI functionality should be verified after the upgrade. ### Version dev ### Are you willing to submit PR? - [ ] Yes I am willing to submit a PR! ### Code of Conduct - [X] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
