Date: 2026-03-31
Threat: axios@1.14.1 pulls in plain-crypto-js@4.2.1 β confirmed malware (supply chain attack)
Action: DO NOT upgrade axios. Pin versions. Audit lockfiles.
| Repo | File | Section | Axios Version |
|---|---|---|---|
| replicatedhq/kots | web/package.json | dependencies | ^1.13.5 |
| replicatedhq/kURL-testgrid | web/package.json | devDependencies | ^1.13 |
| replicatedhq/cmx-testgrid | package.json | dependencies | ^1.7.2 |
| replicatedhq/vandoor | vendor-web/package.json | resolutions | ^0.30.3 |
| replicatedhq/replicated-www | package.json | dependencies | ^0.25.0 |
| replicatedhq/k8s-love | package.json | dependencies | ^0.25.0 |
| replicatedhq/action-okteto-test | package.json | dependencies | ^0.25.0 |
Highest risk: Repos with ^1.x ranges β these could resolve to 1.14.1 on next npm install:
- replicatedhq/kots (
^1.13.5)β οΈ - replicatedhq/kURL-testgrid (
^1.13)β οΈ - replicatedhq/cmx-testgrid (
^1.7.2)β οΈ
Lower risk: Repos pinned to ^0.x ranges β semver won't resolve to 1.14.1:
- replicatedhq/vandoor (
^0.30.3) - replicatedhq/replicated-www (
^0.25.0) - replicatedhq/k8s-love (
^0.25.0) - replicatedhq/action-okteto-test (
^0.25.0)
- This audit checked
package.jsonfiles across all 345 repos inreplicatedhqand 189 repos inreplicatedcom - Lockfiles (
package-lock.json,yarn.lock) were NOT audited β if any lockfile has already resolved to1.14.1, the compromise may already be present - No code changes were made