Frontend/cve updates 2026-06-02

[jsandoval81]

Requirements List

• yarn install --ignore-engines

Description List

• https://www.npmjs.com/advisories/1119667
• https://www.npmjs.com/advisories/1119669
• https://www.npmjs.com/advisories/1119675
• https://github.com/csg-org/CompactConnect/security/dependabot/876

Testing List

• yarn test:unit:all should run without errors or warnings
• yarn serve should run without errors or warnings
• yarn build should run without errors or warnings
• Code review

Closes #1619

Summary by CodeRabbit

• Chores
  • Updated axios dependency to version 1.16.1

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2b50cd59-5088-4b75-abf1-cc7cf721c651

📥 Commits

Reviewing files that changed from the base of the PR and between eee9fc6 and 75b79f0.

⛔ Files ignored due to path filters (1)

• webroot/yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• webroot/package.json

---

📝 Walkthrough

Walkthrough

Update axios dependency from ^1.15.1 to ^1.16.1 in webroot/package.json to resolve three npm advisories and one GitHub dependabot vulnerability.

Changes

Axios CVE patch

Layer / File(s)	Summary
Axios dependency version update webroot/package.json	axios is bumped from ^1.15.1 to ^1.16.1 to address CVE-1119667, CVE-1119669, CVE-1119675, and a low-severity dependabot vulnerability.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• csg-org/CompactConnect#1515: Broader dependency update that includes the same axios version bump.
• csg-org/CompactConnect#1088: Previous axios dependency version update in webroot/package.json.

Suggested reviewers

• jlkravitz
• isabeleliassen

Poem

🐰 A small patch hops through the code,
Axios fixed, the CVEs unload,
Three advisories now out of sight,
Security bumped, the bunny made it right! 🛡️

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Frontend/cve updates 2026-06-02' clearly identifies the main change as CVE-related frontend dependency updates, which matches the PR's primary objective of addressing security vulnerabilities.
Description check	✅ Passed	The PR description covers all essential sections: requirements, description with links to specific CVEs, testing instructions, and linked issue reference; however, it lacks details on which specific packages were updated.
Linked Issues check	✅ Passed	The axios dependency update from ^1.15.1 to ^1.16.1 directly addresses the three axios CVEs (#1119667, #1119669, #1119675) and the Dependabot finding mentioned in issue #1619.
Out of Scope Changes check	✅ Passed	The PR contains only the axios version update in webroot/package.json, which is directly scoped to addressing the CVEs listed in issue #1619 with no extraneous changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jsandoval81]

@jlkravitz This is ready for your review.

[jlkravitz]

@isabeleliassen This is good to merge!