From 61836dbd6ca88255b9b91ad78ffb619fee319aa7 Mon Sep 17 00:00:00 2001
From: Jose Ignacio Palma <ignacio.palma@edunext.co>
Date: Tue, 16 Jun 2026 01:05:31 -0400
Subject: [PATCH 1/2] fix: add npm override for axios to address CVE-2025-58754

Axios versions prior to 1.9.1 are vulnerable to Denial of Service via
massive data schemas (CVE-2025-58754). The vulnerable version (1.9.0)
is pulled as a transitive dependency from @edx/frontend-platform.

Adding an npm override forces resolution to a patched version without
changing the frontend-platform version, avoiding breaking changes.
---
 package.json | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/package.json b/package.json
index e183ed65..6a9d1836 100644
--- a/package.json
+++ b/package.json
@@ -70,5 +70,8 @@
     "jest": "29.7.0",
     "prettier": "2.8.1",
     "rosie": "2.1.0"
+  },
+  "overrides": {
+    "axios": "^1.9.1"
   }
 }

From 8af646c8ee649a153f52f6a0bed20a6af5fbfe80 Mon Sep 17 00:00:00 2001
From: Jose Ignacio Palma <ignacio.palma@edunext.co>
Date: Tue, 16 Jun 2026 01:43:11 -0400
Subject: [PATCH 2/2] fix: remove axios override (direct dep 0.27.2 not in
 vulnerable range)

This MFE uses axios 0.27.2 as a direct dependency, which is outside
the CVE-2025-58754 vulnerable range (0.28.0-0.30.1 and 1.0.0-1.11.x).
The npm override is not needed and conflicts with the direct dependency.
---
 package.json | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/package.json b/package.json
index 6a9d1836..e183ed65 100644
--- a/package.json
+++ b/package.json
@@ -70,8 +70,5 @@
     "jest": "29.7.0",
     "prettier": "2.8.1",
     "rosie": "2.1.0"
-  },
-  "overrides": {
-    "axios": "^1.9.1"
   }
 }