Pin axios in bruno-electron due to compromised axios npm release #7634
Description
AI-generated notice: this issue was analyzed by AI and created by AI.
Hi Bruno team,
I wanted to report a supply-chain risk in packages/bruno-electron/package.json:
aws4-axios:^3.3.0axios:^1.8.3axios-ntlm:^1.4.2
Background:
- Aikido write-up: https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat
- Bruno package file: https://github.com/usebruno/bruno/blob/main/packages/bruno-electron/package.json
The concern is that fresh source installs during the compromise window could resolve the malicious axios@1.14.1 release:
- direct via
axios: ^1.8.3 - transitively via
axios-ntlm: ^1.4.2->axios: ^1.6.1
From what I could verify, Bruno's published GitHub releases do not appear to have been built during the compromise window, so this looks more like a source-build / CI install exposure than a confirmed release-artifact compromise.
Suggested actions:
- pin
axiosto a known-safe version - add an override/resolution to prevent bad transitive resolution
- refresh the lockfile
- publish a short clarification for users about whether any official Bruno builds were produced during the affected timeframe
Thanks!