Hi Brevo team 👋
Issue
When installing @getbrevo/brevo@3.0.1, the package pulls in axios via:
"dependencies": {
"axios": "^1.6.8"
}This currently resolves to axios@1.11.0 in most setups.
However, recent security scans (e.g. Trivy) report the following issue:
• Library: axios
• Vulnerability: CVE-2025-58754
• Severity: HIGH
• Fixed in: 1.12.0
Suggested fix
Because ^1.6.8 allows anything <2.0.0, the fix is simple:
This ensures that new installs won’t pin vulnerable versions of axios and keeps Trivy and other scanners green without requiring manual resolutions/overrides inside the package.json.
If there aren't any complains from your side, I could open a PR for that :)
Hi Brevo team 👋
Issue
When installing
@getbrevo/brevo@3.0.1,the package pulls in axios via:This currently resolves to
axios@1.11.0in most setups.However, recent security scans (e.g. Trivy) report the following issue:
• Library: axios
• Vulnerability: CVE-2025-58754
• Severity: HIGH
• Fixed in: 1.12.0
Suggested fix
Because
^1.6.8allows anything<2.0.0, the fix is simple:This ensures that new installs won’t pin vulnerable versions of axios and keeps Trivy and other scanners green without requiring manual resolutions/overrides inside the
package.json.If there aren't any complains from your side, I could open a PR for that :)