From 8db67732ad844bbfc12139ff5c4151f417c4acb0 Mon Sep 17 00:00:00 2001
From: Gldywn <14254051+Gldywn@users.noreply.github.com>
Date: Tue, 31 Mar 2026 10:06:45 +0200
Subject: [PATCH 1/2] Pin axios to exact version to prevent supply chain
 attacks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Remove caret range (^1.10.0 → 1.10.0) to ensure npm/pnpm never
resolves a compromised version on fresh install or update.
Context: axios@1.14.1 and axios@0.30.4 were compromised via
the plain-crypto-js malware package.
---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index dc169de..3577227 100644
--- a/package.json
+++ b/package.json
@@ -38,7 +38,7 @@
     "@types/node": "^24.0.12",
     "ajv": "^8.17.1",
     "ajv-formats": "^3.0.1",
-    "axios": "^1.10.0",
+    "axios": "1.10.0",
     "got": "^14.4.4",
     "jest": "^30.0.4",
     "json-schema-merge-allof": "^0.8.1",

From afcafcdd83f01a07e447a98a84b81cb6a9a946ab Mon Sep 17 00:00:00 2001
From: Gldywn <14254051+Gldywn@users.noreply.github.com>
Date: Tue, 31 Mar 2026 10:13:27 +0200
Subject: [PATCH 2/2] Update package-lock.json to match pinned axios version
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Sync lockfile specifier (^1.10.0 → 1.10.0) so npm ci
doesn't fail on the mismatch.
---
 package-lock.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package-lock.json b/package-lock.json
index a51e742..0084444 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -22,7 +22,7 @@
         "@types/node": "^24.0.12",
         "ajv": "^8.17.1",
         "ajv-formats": "^3.0.1",
-        "axios": "^1.10.0",
+        "axios": "1.10.0",
         "got": "^14.4.4",
         "jest": "^30.0.4",
         "json-schema-merge-allof": "^0.8.1",