fix: CVE-2025-58754 by upgrading axios dependency

[subrata71]

Description

https://github.com/appsmithorg/appsmith-ee/security/dependabot/438

Fixes CVE-2025-58754

client % yarn why axios
├─ appsmith-rts@workspace:packages/rts
│  └─ axios@npm:1.12.2 (via npm:^1.12.0)
│
├─ appsmith@workspace:.
│  └─ axios@npm:1.12.2 (via npm:^1.12.0)
│
└─ wait-on@npm:7.2.0
   └─ axios@npm:1.12.2 (via npm:^1.12.0)

Automation

/ok-to-test tags="@tag.All"

🔍 Cypress test results

Tip

🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/18520882251
Commit: 59f9b9b
Cypress dashboard.
Tags: @tag.All
Spec:

---

Wed, 15 Oct 2025 08:31:04 UTC

Communication

Should the DevRel and Marketing teams inform users about this change?

• Yes
• No

Summary by CodeRabbit

• Chores
  • Updated axios to ^1.12.0 across the client, including the RTS package and resolution map, ensuring consistent dependency versions.
  • Improves overall stability and compatibility by incorporating upstream fixes and enhancements.
  • Reduces the risk of dependency conflicts in the client workspace.
  • No user-facing behavior changes are expected.

[coderabbitai]

Walkthrough

Axios dependency version updated from ^1.8.3 to ^1.12.0 in app/client/package.json (including resolutions) and app/client/packages/rts/package.json. No source code or public API changes.

Changes

Cohort / File(s)	Summary
Dependency version bump (axios) app/client/package.json, app/client/packages/rts/package.json	Update axios from ^1.8.3 to ^1.12.0. In app/client/package.json, version bumped in two dependency entries and in the resolutions map. In app/client/packages/rts/package.json, dependency updated under "dependencies".

Sequence Diagram(s)

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

Axios sails to one-one-two,
A patch of paint, a brighter hue.
No routes rewired, no logic spun—
Just fresher wheels for the network run.
Ship it clean, dependencies in tune.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The pull request description includes the required section headings but does not adhere fully to the template’s “Fixes” format or provide sufficient context under the Description section. The “Fixes CVE-2025-58754” line does not reference an issue number or URL as required, and the link to the Dependabot advisory is placed outside the standardized Fixes entry. While automation and communication sections are present, the Description block could be expanded with clearer motivation and context. Overall, the structure is mostly in place but the Fixes entry is incomplete and not in the expected format.	Please update the Fixes line to use the recommended syntax—either “Fixes #” or “Fixes ”—and ensure the advisory link is incorporated correctly. Additionally, consider adding a brief motivation statement under Description to explain the impact of the vulnerability and any relevant dependency details.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title concisely and accurately summarizes the main change—addressing CVE-2025-58754 by upgrading Axios—and follows the conventional commit style; it is clear, specific, and directly related to the PR’s primary purpose.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/CVE-2025-58754

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}